// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/cert_verify_proc_android.h" #include #include #include "net/cert/cert_net_fetcher.h" #include "net/cert/cert_verify_proc_android.h" #include "net/cert/cert_verify_result.h" #include "net/cert/crl_set.h" #include "net/cert/internal/test_helpers.h" #include "net/cert/mock_cert_net_fetcher.h" #include "net/cert/test_root_certs.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "net/log/net_log_with_source.h" #include "net/test/cert_builder.h" #include "net/test/cert_test_util.h" #include "net/test/test_certificate_data.h" #include "net/test/test_data_directory.h" #include "testing/gmock/include/gmock/gmock-matchers.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/gurl.h" using ::testing::ByMove; using ::testing::Return; using ::testing::_; namespace net { namespace { const char kHostname[] = "example.com"; const GURL kRootURL("http://aia.test/root"); const GURL kIntermediateURL("http://aia.test/intermediate"); std::unique_ptr CreateMockRequestWithInvalidCertificate() { return MockCertNetFetcherRequest::Create(std::vector({1, 2, 3})); } // A test fixture for testing CertVerifyProcAndroid AIA fetching. It creates, // sets up, and shuts down a MockCertNetFetcher for CertVerifyProcAndroid to // use, and enables the field trial for AIA fetching. class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test { public: void SetUp() override { fetcher_ = base::MakeRefCounted(); // Generate a certificate chain with AIA pointers. Tests can modify these // if testing a different scenario. std::tie(leaf_, intermediate_, root_) = CertBuilder::CreateSimpleChain3(); root_->SetCaIssuersUrl(kRootURL); intermediate_->SetCaIssuersUrl(kRootURL); leaf_->SetCaIssuersUrl(kIntermediateURL); leaf_->SetSubjectAltName(kHostname); } void TearDown() override { // Ensure that mock expectations are checked, since the CertNetFetcher is // global and leaky. ASSERT_TRUE(testing::Mock::VerifyAndClearExpectations(fetcher_.get())); } scoped_refptr LeafOnly() { return leaf_->GetX509Certificate(); } scoped_refptr LeafWithIntermediate() { return leaf_->GetX509CertificateChain(); } protected: void TrustTestRoot() { scoped_test_root_.Reset({root_->GetX509Certificate()}); } scoped_refptr fetcher_; std::unique_ptr root_; std::unique_ptr intermediate_; std::unique_ptr leaf_; private: ScopedTestRoot scoped_test_root_; }; } // namespace // Tests that if the proper intermediates are supplied in the server-sent chain, // no AIA fetch occurs. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoFetchIfProperIntermediatesSupplied) { TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); CertVerifyResult verify_result; EXPECT_EQ(OK, proc->Verify(LeafWithIntermediate().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if the certificate does not contain an AIA URL, no AIA fetch // occurs. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) { leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/{}, /*ocsp_urls=*/{}); TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if a certificate contains one file:// URL and one http:// URL, // there are two fetches, with the latter resulting in a successful // verification. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) { const GURL kFileURL("file:///dev/null"); leaf_->SetCaIssuersAndOCSPUrls( /*ca_issuers_urls=*/{kFileURL, kIntermediateURL}, /*ocsp_urls=*/{}); TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); // Expect two fetches: the file:// URL (which returns an error), and the // http:// URL that returns a valid intermediate signed by |root_|. Though the // intermediate itself contains an AIA URL, it should not be fetched because // |root_| is in the test trust store. EXPECT_CALL(*fetcher_, FetchCaIssuers(kFileURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(ERR_DISALLOWED_URL_SCHEME)))); EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); CertVerifyResult verify_result; EXPECT_EQ(OK, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if an AIA request returns the wrong intermediate, certificate // verification should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnly) { TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); const scoped_refptr bad_intermediate = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(bad_intermediate->cert_buffer())))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if an AIA request returns an error, certificate verification // should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnlyAndErrorOnFetch) { TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if an AIA request returns an unparseable cert, certificate // verification should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnlyAndUnparseableFetch) { TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove(CreateMockRequestWithInvalidCertificate()))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if a certificate has two HTTP AIA URLs, they are both fetched. If // one serves an unrelated certificate and one serves a proper intermediate, the // latter should be used to build a valid chain. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) { const GURL kUnrelatedURL("http://aia.test/unrelated"); leaf_->SetCaIssuersAndOCSPUrls( /*ca_issuers_urls=*/{kUnrelatedURL, kIntermediateURL}, /*ocsp_urls=*/{}); scoped_refptr unrelated = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); ASSERT_TRUE(unrelated); TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); // Expect two fetches, the first of which returns an unrelated certificate // that is not useful in chain-building, and the second of which returns a // valid intermediate signed by |root_|. Though the intermediate itself // contains an AIA URL, it should not be fetched because |root_| is in the // trust store. EXPECT_CALL(*fetcher_, FetchCaIssuers(kUnrelatedURL, _, _)) .WillOnce(Return( ByMove(MockCertNetFetcherRequest::Create(unrelated->cert_buffer())))); EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); CertVerifyResult verify_result; EXPECT_EQ(OK, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if an intermediate is fetched via AIA, and the intermediate itself // has an AIA URL, that URL is fetched if necessary. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, AIAFetchForFetchedIntermediate) { // Do not set up the test root to be trusted. If the test root were trusted, // then the intermediate would not require an AIA fetch. With the test root // untrusted, the intermediate does not verify and so it will trigger an AIA // fetch. scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); // Expect two fetches, the first of which returns an intermediate that itself // has an AIA URL. EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _)) .WillOnce(Return( ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer())))); CertVerifyResult verify_result; // This chain results in an AUTHORITY_INVALID root because |root_| is not // trusted. EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if a certificate contains six AIA URLs, only the first five are // fetched, since the maximum number of fetches per Verify() call is five. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) { leaf_->SetCaIssuersAndOCSPUrls( /*ca_issuers_urls=*/{GURL("http://aia.test/1"), GURL("http://aia.test/2"), GURL("http://aia.test/3"), GURL("http://aia.test/4"), GURL("http://aia.test/5"), GURL("http://aia.test/6")}, /*ocsp_urls=*/{}); TrustTestRoot(); scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _)) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } // Tests that if the supplied chain contains an intermediate with an AIA URL, // that AIA URL is fetched if necessary. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, FetchForSuppliedIntermediate) { // Do not set up the test root to be trusted. If the test root were trusted, // then the intermediate would not require an AIA fetch. With the test root // untrusted, the intermediate does not verify and so it will trigger an AIA // fetch. scoped_refptr proc = base::MakeRefCounted(fetcher_, CRLSet::BuiltinCRLSet()); EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _)) .WillOnce(Return( ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer())))); CertVerifyResult verify_result; // This chain results in an AUTHORITY_INVALID root because |root_| is not // trusted. EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, proc->Verify(LeafWithIntermediate().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, &verify_result, NetLogWithSource())); } } // namespace net