1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/test_root_certs.h"
6
7 #include "base/files/file_path.h"
8 #include "build/build_config.h"
9 #include "net/base/features.h"
10 #include "net/base/net_errors.h"
11 #include "net/cert/cert_net_fetcher.h"
12 #include "net/cert/cert_status_flags.h"
13 #include "net/cert/cert_verify_proc.h"
14 #include "net/cert/cert_verify_result.h"
15 #include "net/cert/crl_set.h"
16 #include "net/cert/x509_certificate.h"
17 #include "net/log/net_log_with_source.h"
18 #include "net/net_buildflags.h"
19 #include "net/test/cert_builder.h"
20 #include "net/test/cert_test_util.h"
21 #include "net/test/gtest_util.h"
22 #include "net/test/test_data_directory.h"
23 #include "testing/gmock/include/gmock/gmock.h"
24 #include "testing/gtest/include/gtest/gtest.h"
25
26 using net::test::IsOk;
27
28 namespace net {
29
30 namespace {
31
32 // The local test root certificate.
33 const char kRootCertificateFile[] = "root_ca_cert.pem";
34 // A certificate issued by the local test root for 127.0.0.1.
35 const char kGoodCertificateFile[] = "ok_cert.pem";
36
CreateCertVerifyProc()37 scoped_refptr<CertVerifyProc> CreateCertVerifyProc() {
38 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
39 if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) {
40 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
41 /*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
42 /*root_store_data=*/nullptr, /*instance_params=*/{});
43 }
44 #endif
45 #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
46 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
47 /*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
48 /*root_store_data=*/nullptr, /*instance_params=*/{});
49 #elif BUILDFLAG(IS_FUCHSIA)
50 return CertVerifyProc::CreateBuiltinVerifyProc(
51 /*cert_net_fetcher=*/nullptr, CRLSet::BuiltinCRLSet().get(),
52 /*instance_params=*/{});
53 #else
54 return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr,
55 CRLSet::BuiltinCRLSet().get());
56 #endif
57 }
58
59 } // namespace
60
61 // Test basic functionality when adding from an existing X509Certificate.
TEST(TestRootCertsTest,AddFromPointer)62 TEST(TestRootCertsTest, AddFromPointer) {
63 scoped_refptr<X509Certificate> root_cert =
64 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
65 ASSERT_NE(static_cast<X509Certificate*>(nullptr), root_cert.get());
66
67 TestRootCerts* test_roots = TestRootCerts::GetInstance();
68 ASSERT_NE(static_cast<TestRootCerts*>(nullptr), test_roots);
69 EXPECT_TRUE(test_roots->IsEmpty());
70
71 {
72 ScopedTestRoot scoped_root(root_cert);
73 EXPECT_FALSE(test_roots->IsEmpty());
74 }
75 EXPECT_TRUE(test_roots->IsEmpty());
76 }
77
78 // Test that TestRootCerts actually adds the appropriate trust status flags
79 // when requested, and that the trusted status is cleared once the root is
80 // removed the TestRootCerts. This test acts as a canary/sanity check for
81 // the results of the rest of net_unittests, ensuring that the trust status
82 // is properly being set and cleared.
TEST(TestRootCertsTest,OverrideTrust)83 TEST(TestRootCertsTest, OverrideTrust) {
84 TestRootCerts* test_roots = TestRootCerts::GetInstance();
85 ASSERT_NE(static_cast<TestRootCerts*>(nullptr), test_roots);
86 EXPECT_TRUE(test_roots->IsEmpty());
87
88 scoped_refptr<X509Certificate> test_cert =
89 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
90 ASSERT_NE(static_cast<X509Certificate*>(nullptr), test_cert.get());
91
92 // Test that the good certificate fails verification, because the root
93 // certificate should not yet be trusted.
94 int flags = 0;
95 CertVerifyResult bad_verify_result;
96 scoped_refptr<CertVerifyProc> verify_proc(CreateCertVerifyProc());
97 int bad_status = verify_proc->Verify(test_cert.get(), "127.0.0.1",
98 /*ocsp_response=*/std::string(),
99 /*sct_list=*/std::string(), flags,
100 &bad_verify_result, NetLogWithSource());
101 EXPECT_NE(OK, bad_status);
102 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
103 EXPECT_FALSE(bad_verify_result.is_issued_by_known_root);
104
105 // Add the root certificate and mark it as trusted.
106 scoped_refptr<X509Certificate> root_cert =
107 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
108 ASSERT_TRUE(root_cert);
109 ScopedTestRoot scoped_root(root_cert);
110 EXPECT_FALSE(test_roots->IsEmpty());
111
112 // Test that the certificate verification now succeeds, because the
113 // TestRootCerts is successfully imbuing trust.
114 CertVerifyResult good_verify_result;
115 int good_status = verify_proc->Verify(
116 test_cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
117 /*sct_list=*/std::string(), flags, &good_verify_result,
118 NetLogWithSource());
119 EXPECT_THAT(good_status, IsOk());
120 EXPECT_EQ(0u, good_verify_result.cert_status);
121 EXPECT_FALSE(good_verify_result.is_issued_by_known_root);
122
123 test_roots->Clear();
124 EXPECT_TRUE(test_roots->IsEmpty());
125
126 // Ensure that when the TestRootCerts is cleared, the trust settings
127 // revert to their original state, and don't linger. If trust status
128 // lingers, it will likely break other tests in net_unittests.
129 CertVerifyResult restored_verify_result;
130 int restored_status = verify_proc->Verify(
131 test_cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
132 /*sct_list=*/std::string(), flags, &restored_verify_result,
133 NetLogWithSource());
134 EXPECT_NE(OK, restored_status);
135 EXPECT_NE(0u,
136 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
137 EXPECT_EQ(bad_status, restored_status);
138 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
139 EXPECT_FALSE(restored_verify_result.is_issued_by_known_root);
140 }
141
TEST(TestRootCertsTest,OverrideKnownRoot)142 TEST(TestRootCertsTest, OverrideKnownRoot) {
143 TestRootCerts* test_roots = TestRootCerts::GetInstance();
144 ASSERT_NE(static_cast<TestRootCerts*>(nullptr), test_roots);
145 EXPECT_TRUE(test_roots->IsEmpty());
146
147 // Use a runtime generated certificate chain so that the cert lifetime is not
148 // too long, and so that it will have an allowable hostname for a publicly
149 // trusted cert.
150 auto [leaf, root] = net::CertBuilder::CreateSimpleChain2();
151
152 // Add the root certificate and mark it as trusted and as a known root.
153 ScopedTestRoot scoped_root(root->GetX509Certificate());
154 ScopedTestKnownRoot scoped_known_root(root->GetX509Certificate().get());
155 EXPECT_FALSE(test_roots->IsEmpty());
156
157 // Test that the certificate verification sets the `is_issued_by_known_root`
158 // flag.
159 CertVerifyResult good_verify_result;
160 scoped_refptr<CertVerifyProc> verify_proc(CreateCertVerifyProc());
161 int flags = 0;
162 int good_status =
163 verify_proc->Verify(leaf->GetX509Certificate().get(), "www.example.com",
164 /*ocsp_response=*/std::string(),
165 /*sct_list=*/std::string(), flags,
166 &good_verify_result, NetLogWithSource());
167 EXPECT_THAT(good_status, IsOk());
168 EXPECT_EQ(0u, good_verify_result.cert_status);
169 EXPECT_TRUE(good_verify_result.is_issued_by_known_root);
170
171 test_roots->Clear();
172 EXPECT_TRUE(test_roots->IsEmpty());
173
174 // Ensure that when the TestRootCerts is cleared, the test known root status
175 // revert to their original state, and don't linger. If known root status
176 // lingers, it will likely break other tests in net_unittests.
177 // Trust the root again so that the `is_issued_by_known_root` value will be
178 // calculated, and ensure that it is false now.
179 ScopedTestRoot scoped_root2(root->GetX509Certificate());
180 CertVerifyResult restored_verify_result;
181 int restored_status =
182 verify_proc->Verify(leaf->GetX509Certificate().get(), "www.example.com",
183 /*ocsp_response=*/std::string(),
184 /*sct_list=*/std::string(), flags,
185 &restored_verify_result, NetLogWithSource());
186 EXPECT_THAT(restored_status, IsOk());
187 EXPECT_EQ(0u, restored_verify_result.cert_status);
188 EXPECT_FALSE(restored_verify_result.is_issued_by_known_root);
189 }
190
TEST(TestRootCertsTest,Moveable)191 TEST(TestRootCertsTest, Moveable) {
192 TestRootCerts* test_roots = TestRootCerts::GetInstance();
193 ASSERT_NE(static_cast<TestRootCerts*>(nullptr), test_roots);
194 EXPECT_TRUE(test_roots->IsEmpty());
195
196 scoped_refptr<X509Certificate> test_cert =
197 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
198 ASSERT_NE(static_cast<X509Certificate*>(nullptr), test_cert.get());
199
200 int flags = 0;
201 CertVerifyResult bad_verify_result;
202 int bad_status;
203 scoped_refptr<CertVerifyProc> verify_proc(CreateCertVerifyProc());
204 {
205 // Empty ScopedTestRoot at outer scope has no effect.
206 ScopedTestRoot scoped_root_outer;
207 EXPECT_TRUE(test_roots->IsEmpty());
208
209 // Test that the good certificate fails verification, because the root
210 // certificate should not yet be trusted.
211 bad_status = verify_proc->Verify(test_cert.get(), "127.0.0.1",
212 /*ocsp_response=*/std::string(),
213 /*sct_list=*/std::string(), flags,
214 &bad_verify_result, NetLogWithSource());
215 EXPECT_NE(OK, bad_status);
216 EXPECT_NE(0u,
217 bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
218
219 {
220 // Add the root certificate and mark it as trusted.
221 scoped_refptr<X509Certificate> root_cert =
222 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
223 ASSERT_TRUE(root_cert);
224 ScopedTestRoot scoped_root_inner(root_cert);
225 EXPECT_FALSE(test_roots->IsEmpty());
226
227 // Test that the certificate verification now succeeds, because the
228 // TestRootCerts is successfully imbuing trust.
229 CertVerifyResult good_verify_result;
230 int good_status = verify_proc->Verify(
231 test_cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
232 /*sct_list=*/std::string(), flags, &good_verify_result,
233 NetLogWithSource());
234 EXPECT_THAT(good_status, IsOk());
235 EXPECT_EQ(0u, good_verify_result.cert_status);
236
237 EXPECT_FALSE(scoped_root_inner.IsEmpty());
238 EXPECT_TRUE(scoped_root_outer.IsEmpty());
239 // Move from inner scoped root to outer
240 scoped_root_outer = std::move(scoped_root_inner);
241 EXPECT_FALSE(test_roots->IsEmpty());
242 EXPECT_FALSE(scoped_root_outer.IsEmpty());
243 }
244 // After inner scoper was freed, test root is still trusted since ownership
245 // was moved to the outer scoper.
246 EXPECT_FALSE(test_roots->IsEmpty());
247 EXPECT_FALSE(scoped_root_outer.IsEmpty());
248
249 // Test that the certificate verification still succeeds, because the
250 // TestRootCerts is successfully imbuing trust.
251 CertVerifyResult good_verify_result;
252 int good_status = verify_proc->Verify(
253 test_cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
254 /*sct_list=*/std::string(), flags, &good_verify_result,
255 NetLogWithSource());
256 EXPECT_THAT(good_status, IsOk());
257 EXPECT_EQ(0u, good_verify_result.cert_status);
258 }
259 EXPECT_TRUE(test_roots->IsEmpty());
260
261 // Ensure that when the TestRootCerts is cleared, the trust settings
262 // revert to their original state, and don't linger. If trust status
263 // lingers, it will likely break other tests in net_unittests.
264 CertVerifyResult restored_verify_result;
265 int restored_status = verify_proc->Verify(
266 test_cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
267 /*sct_list=*/std::string(), flags, &restored_verify_result,
268 NetLogWithSource());
269 EXPECT_NE(OK, restored_status);
270 EXPECT_NE(0u,
271 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
272 EXPECT_EQ(bad_status, restored_status);
273 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
274 }
275
276 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
277 // TestRootCerts properly injects itself into the validation process. See
278 // http://crbug.com/63958
279
280 } // namespace net
281