1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verify_proc.h"
6
7 #include <vector>
8
9 #include "base/callback_helpers.h"
10 #include "base/files/file_path.h"
11 #include "base/logging.h"
12 #include "base/sha1.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "crypto/sha2.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/asn1_util.h"
18 #include "net/cert/cert_status_flags.h"
19 #include "net/cert/cert_verifier.h"
20 #include "net/cert/cert_verify_result.h"
21 #include "net/cert/crl_set.h"
22 #include "net/cert/test_root_certs.h"
23 #include "net/cert/x509_certificate.h"
24 #include "net/test/cert_test_util.h"
25 #include "net/test/test_certificate_data.h"
26 #include "testing/gtest/include/gtest/gtest.h"
27
28 #if defined(OS_WIN)
29 #include "base/win/windows_version.h"
30 #elif defined(OS_MACOSX) && !defined(OS_IOS)
31 #include "base/mac/mac_util.h"
32 #endif
33
34 using base::HexEncode;
35
36 namespace net {
37
38 namespace {
39
40 // A certificate for www.paypal.com with a NULL byte in the common name.
41 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
42 unsigned char paypal_null_fingerprint[] = {
43 0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
44 0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
45 };
46
47 // Mock CertVerifyProc that will set |verify_result->is_issued_by_known_root|
48 // for all certificates that are Verified.
49 class WellKnownCaCertVerifyProc : public CertVerifyProc {
50 public:
51 // Initialize a CertVerifyProc that will set
52 // |verify_result->is_issued_by_known_root| to |is_well_known|.
WellKnownCaCertVerifyProc(bool is_well_known)53 explicit WellKnownCaCertVerifyProc(bool is_well_known)
54 : is_well_known_(is_well_known) {}
55
56 // CertVerifyProc implementation:
SupportsAdditionalTrustAnchors() const57 virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE { return false; }
58
59 protected:
~WellKnownCaCertVerifyProc()60 virtual ~WellKnownCaCertVerifyProc() {}
61
62 private:
63 virtual int VerifyInternal(X509Certificate* cert,
64 const std::string& hostname,
65 int flags,
66 CRLSet* crl_set,
67 const CertificateList& additional_trust_anchors,
68 CertVerifyResult* verify_result) OVERRIDE;
69
70 const bool is_well_known_;
71
72 DISALLOW_COPY_AND_ASSIGN(WellKnownCaCertVerifyProc);
73 };
74
VerifyInternal(X509Certificate * cert,const std::string & hostname,int flags,CRLSet * crl_set,const CertificateList & additional_trust_anchors,CertVerifyResult * verify_result)75 int WellKnownCaCertVerifyProc::VerifyInternal(
76 X509Certificate* cert,
77 const std::string& hostname,
78 int flags,
79 CRLSet* crl_set,
80 const CertificateList& additional_trust_anchors,
81 CertVerifyResult* verify_result) {
82 verify_result->is_issued_by_known_root = is_well_known_;
83 return OK;
84 }
85
86 } // namespace
87
88 class CertVerifyProcTest : public testing::Test {
89 public:
CertVerifyProcTest()90 CertVerifyProcTest()
91 : verify_proc_(CertVerifyProc::CreateDefault()) {
92 }
~CertVerifyProcTest()93 virtual ~CertVerifyProcTest() {}
94
95 protected:
SupportsAdditionalTrustAnchors()96 bool SupportsAdditionalTrustAnchors() {
97 return verify_proc_->SupportsAdditionalTrustAnchors();
98 }
99
Verify(X509Certificate * cert,const std::string & hostname,int flags,CRLSet * crl_set,const CertificateList & additional_trust_anchors,CertVerifyResult * verify_result)100 int Verify(X509Certificate* cert,
101 const std::string& hostname,
102 int flags,
103 CRLSet* crl_set,
104 const CertificateList& additional_trust_anchors,
105 CertVerifyResult* verify_result) {
106 return verify_proc_->Verify(cert, hostname, flags, crl_set,
107 additional_trust_anchors, verify_result);
108 }
109
110 const CertificateList empty_cert_list_;
111 scoped_refptr<CertVerifyProc> verify_proc_;
112 };
113
TEST_F(CertVerifyProcTest,DISABLED_WithoutRevocationChecking)114 TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
115 // Check that verification without revocation checking works.
116 CertificateList certs = CreateCertificateListFromFile(
117 GetTestCertsDirectory(),
118 "googlenew.chain.pem",
119 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
120
121 X509Certificate::OSCertHandles intermediates;
122 intermediates.push_back(certs[1]->os_cert_handle());
123
124 scoped_refptr<X509Certificate> google_full_chain =
125 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
126 intermediates);
127
128 CertVerifyResult verify_result;
129 EXPECT_EQ(OK,
130 Verify(google_full_chain.get(),
131 "www.google.com",
132 0 /* flags */,
133 NULL,
134 empty_cert_list_,
135 &verify_result));
136 }
137
138 #if defined(OS_ANDROID) || defined(USE_OPENSSL)
139 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
140 #define MAYBE_EVVerification DISABLED_EVVerification
141 #else
142 #define MAYBE_EVVerification EVVerification
143 #endif
TEST_F(CertVerifyProcTest,MAYBE_EVVerification)144 TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
145 CertificateList certs = CreateCertificateListFromFile(
146 GetTestCertsDirectory(),
147 "comodo.chain.pem",
148 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
149 ASSERT_EQ(3U, certs.size());
150
151 X509Certificate::OSCertHandles intermediates;
152 intermediates.push_back(certs[1]->os_cert_handle());
153 intermediates.push_back(certs[2]->os_cert_handle());
154
155 scoped_refptr<X509Certificate> comodo_chain =
156 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
157 intermediates);
158
159 scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
160 CertVerifyResult verify_result;
161 int flags = CertVerifier::VERIFY_EV_CERT;
162 int error = Verify(comodo_chain.get(),
163 "comodo.com",
164 flags,
165 crl_set.get(),
166 empty_cert_list_,
167 &verify_result);
168 EXPECT_EQ(OK, error);
169 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
170 }
171
TEST_F(CertVerifyProcTest,PaypalNullCertParsing)172 TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
173 scoped_refptr<X509Certificate> paypal_null_cert(
174 X509Certificate::CreateFromBytes(
175 reinterpret_cast<const char*>(paypal_null_der),
176 sizeof(paypal_null_der)));
177
178 ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
179
180 const SHA1HashValue& fingerprint =
181 paypal_null_cert->fingerprint();
182 for (size_t i = 0; i < 20; ++i)
183 EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
184
185 int flags = 0;
186 CertVerifyResult verify_result;
187 int error = Verify(paypal_null_cert.get(),
188 "www.paypal.com",
189 flags,
190 NULL,
191 empty_cert_list_,
192 &verify_result);
193 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_ANDROID)
194 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
195 #else
196 // TOOD(bulach): investigate why macosx and win aren't returning
197 // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
198 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
199 #endif
200 // Either the system crypto library should correctly report a certificate
201 // name mismatch, or our certificate blacklist should cause us to report an
202 // invalid certificate.
203 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS)
204 EXPECT_TRUE(verify_result.cert_status &
205 (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
206 #endif
207 }
208
209 // A regression test for http://crbug.com/31497.
210 #if defined(OS_ANDROID)
211 // Disabled on Android, as the Android verification libraries require an
212 // explicit policy to be specified, even when anyPolicy is permitted.
213 #define MAYBE_IntermediateCARequireExplicitPolicy \
214 DISABLED_IntermediateCARequireExplicitPolicy
215 #else
216 #define MAYBE_IntermediateCARequireExplicitPolicy \
217 IntermediateCARequireExplicitPolicy
218 #endif
TEST_F(CertVerifyProcTest,MAYBE_IntermediateCARequireExplicitPolicy)219 TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
220 base::FilePath certs_dir = GetTestCertsDirectory();
221
222 CertificateList certs = CreateCertificateListFromFile(
223 certs_dir, "explicit-policy-chain.pem",
224 X509Certificate::FORMAT_AUTO);
225 ASSERT_EQ(3U, certs.size());
226
227 X509Certificate::OSCertHandles intermediates;
228 intermediates.push_back(certs[1]->os_cert_handle());
229
230 scoped_refptr<X509Certificate> cert =
231 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
232 intermediates);
233 ASSERT_TRUE(cert.get());
234
235 ScopedTestRoot scoped_root(certs[2].get());
236
237 int flags = 0;
238 CertVerifyResult verify_result;
239 int error = Verify(cert.get(),
240 "policy_test.example",
241 flags,
242 NULL,
243 empty_cert_list_,
244 &verify_result);
245 EXPECT_EQ(OK, error);
246 EXPECT_EQ(0u, verify_result.cert_status);
247 }
248
249 // Test for bug 58437.
250 // This certificate will expire on 2011-12-21. The test will still
251 // pass if error == ERR_CERT_DATE_INVALID.
252 // This test is DISABLED because it appears that we cannot do
253 // certificate revocation checking when running all of the net unit tests.
254 // This test passes when run individually, but when run with all of the net
255 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
256 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
257 // status, i.e. that the revocation check is failing for some reason.
TEST_F(CertVerifyProcTest,DISABLED_GlobalSignR3EVTest)258 TEST_F(CertVerifyProcTest, DISABLED_GlobalSignR3EVTest) {
259 base::FilePath certs_dir = GetTestCertsDirectory();
260
261 scoped_refptr<X509Certificate> server_cert =
262 ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
263 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
264
265 scoped_refptr<X509Certificate> intermediate_cert =
266 ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
267 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
268
269 X509Certificate::OSCertHandles intermediates;
270 intermediates.push_back(intermediate_cert->os_cert_handle());
271 scoped_refptr<X509Certificate> cert_chain =
272 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
273 intermediates);
274
275 CertVerifyResult verify_result;
276 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED |
277 CertVerifier::VERIFY_EV_CERT;
278 int error = Verify(cert_chain.get(),
279 "2029.globalsign.com",
280 flags,
281 NULL,
282 empty_cert_list_,
283 &verify_result);
284 if (error == OK)
285 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
286 else
287 EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
288 }
289
290 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
291 // crbug.com/144466).
TEST_F(CertVerifyProcTest,ECDSA_RSA)292 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
293 base::FilePath certs_dir = GetTestCertsDirectory();
294
295 scoped_refptr<X509Certificate> cert =
296 ImportCertFromFile(certs_dir,
297 "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
298
299 CertVerifyResult verify_result;
300 Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_, &verify_result);
301
302 // We don't check verify_result because the certificate is signed by an
303 // unknown CA and will be considered invalid on XP because of the ECDSA
304 // public key.
305 }
306
307 // Currently, only RSA and DSA keys are checked for weakness, and our example
308 // weak size is 768. These could change in the future.
309 //
310 // Note that this means there may be false negatives: keys for other
311 // algorithms and which are weak will pass this test.
IsWeakKeyType(const std::string & key_type)312 static bool IsWeakKeyType(const std::string& key_type) {
313 size_t pos = key_type.find("-");
314 std::string size = key_type.substr(0, pos);
315 std::string type = key_type.substr(pos + 1);
316
317 if (type == "rsa" || type == "dsa")
318 return size == "768";
319
320 return false;
321 }
322
TEST_F(CertVerifyProcTest,RejectWeakKeys)323 TEST_F(CertVerifyProcTest, RejectWeakKeys) {
324 base::FilePath certs_dir = GetTestCertsDirectory();
325 typedef std::vector<std::string> Strings;
326 Strings key_types;
327
328 // generate-weak-test-chains.sh currently has:
329 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
330 // We must use the same key types here. The filenames generated look like:
331 // 2048-rsa-ee-by-768-rsa-intermediate.pem
332 key_types.push_back("768-rsa");
333 key_types.push_back("1024-rsa");
334 key_types.push_back("2048-rsa");
335
336 bool use_ecdsa = true;
337 #if defined(OS_WIN)
338 use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
339 #endif
340
341 if (use_ecdsa)
342 key_types.push_back("prime256v1-ecdsa");
343
344 // Add the root that signed the intermediates for this test.
345 scoped_refptr<X509Certificate> root_cert =
346 ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
347 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
348 ScopedTestRoot scoped_root(root_cert.get());
349
350 // Now test each chain.
351 for (Strings::const_iterator ee_type = key_types.begin();
352 ee_type != key_types.end(); ++ee_type) {
353 for (Strings::const_iterator signer_type = key_types.begin();
354 signer_type != key_types.end(); ++signer_type) {
355 std::string basename = *ee_type + "-ee-by-" + *signer_type +
356 "-intermediate.pem";
357 SCOPED_TRACE(basename);
358 scoped_refptr<X509Certificate> ee_cert =
359 ImportCertFromFile(certs_dir, basename);
360 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
361
362 basename = *signer_type + "-intermediate.pem";
363 scoped_refptr<X509Certificate> intermediate =
364 ImportCertFromFile(certs_dir, basename);
365 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
366
367 X509Certificate::OSCertHandles intermediates;
368 intermediates.push_back(intermediate->os_cert_handle());
369 scoped_refptr<X509Certificate> cert_chain =
370 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
371 intermediates);
372
373 CertVerifyResult verify_result;
374 int error = Verify(cert_chain.get(),
375 "127.0.0.1",
376 0,
377 NULL,
378 empty_cert_list_,
379 &verify_result);
380
381 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
382 EXPECT_NE(OK, error);
383 EXPECT_EQ(CERT_STATUS_WEAK_KEY,
384 verify_result.cert_status & CERT_STATUS_WEAK_KEY);
385 EXPECT_NE(CERT_STATUS_INVALID,
386 verify_result.cert_status & CERT_STATUS_INVALID);
387 } else {
388 EXPECT_EQ(OK, error);
389 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
390 }
391 }
392 }
393 }
394
395 // Regression test for http://crbug.com/108514.
396 #if defined(OS_MACOSX) && !defined(OS_IOS)
397 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
398 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
399 // details.
400 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
401 #elif defined(USE_OPENSSL) || defined(OS_ANDROID)
402 // Disabled for OpenSSL / Android - Android and OpenSSL do not attempt to find
403 // a minimal certificate chain, thus prefer the MD5 root over the SHA-1 root.
404 #define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
405 #else
406 #define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
407 #endif
TEST_F(CertVerifyProcTest,MAYBE_ExtraneousMD5RootCert)408 TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
409 base::FilePath certs_dir = GetTestCertsDirectory();
410
411 scoped_refptr<X509Certificate> server_cert =
412 ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
413 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
414
415 scoped_refptr<X509Certificate> extra_cert =
416 ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
417 ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
418
419 scoped_refptr<X509Certificate> root_cert =
420 ImportCertFromFile(certs_dir, "cross-signed-root-sha1.pem");
421 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
422
423 ScopedTestRoot scoped_root(root_cert.get());
424
425 X509Certificate::OSCertHandles intermediates;
426 intermediates.push_back(extra_cert->os_cert_handle());
427 scoped_refptr<X509Certificate> cert_chain =
428 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
429 intermediates);
430
431 CertVerifyResult verify_result;
432 int flags = 0;
433 int error = Verify(cert_chain.get(),
434 "127.0.0.1",
435 flags,
436 NULL,
437 empty_cert_list_,
438 &verify_result);
439 EXPECT_EQ(OK, error);
440
441 // The extra MD5 root should be discarded
442 ASSERT_TRUE(verify_result.verified_cert.get());
443 ASSERT_EQ(1u,
444 verify_result.verified_cert->GetIntermediateCertificates().size());
445 EXPECT_TRUE(X509Certificate::IsSameOSCert(
446 verify_result.verified_cert->GetIntermediateCertificates().front(),
447 root_cert->os_cert_handle()));
448
449 EXPECT_FALSE(verify_result.has_md5);
450 }
451
452 // Test for bug 94673.
TEST_F(CertVerifyProcTest,GoogleDigiNotarTest)453 TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
454 base::FilePath certs_dir = GetTestCertsDirectory();
455
456 scoped_refptr<X509Certificate> server_cert =
457 ImportCertFromFile(certs_dir, "google_diginotar.pem");
458 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
459
460 scoped_refptr<X509Certificate> intermediate_cert =
461 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
462 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
463
464 X509Certificate::OSCertHandles intermediates;
465 intermediates.push_back(intermediate_cert->os_cert_handle());
466 scoped_refptr<X509Certificate> cert_chain =
467 X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
468 intermediates);
469
470 CertVerifyResult verify_result;
471 int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
472 int error = Verify(cert_chain.get(),
473 "mail.google.com",
474 flags,
475 NULL,
476 empty_cert_list_,
477 &verify_result);
478 EXPECT_NE(OK, error);
479
480 // Now turn off revocation checking. Certificate verification should still
481 // fail.
482 flags = 0;
483 error = Verify(cert_chain.get(),
484 "mail.google.com",
485 flags,
486 NULL,
487 empty_cert_list_,
488 &verify_result);
489 EXPECT_NE(OK, error);
490 }
491
TEST_F(CertVerifyProcTest,DigiNotarCerts)492 TEST_F(CertVerifyProcTest, DigiNotarCerts) {
493 static const char* const kDigiNotarFilenames[] = {
494 "diginotar_root_ca.pem",
495 "diginotar_cyber_ca.pem",
496 "diginotar_services_1024_ca.pem",
497 "diginotar_pkioverheid.pem",
498 "diginotar_pkioverheid_g2.pem",
499 NULL,
500 };
501
502 base::FilePath certs_dir = GetTestCertsDirectory();
503
504 for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
505 scoped_refptr<X509Certificate> diginotar_cert =
506 ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
507 std::string der_bytes;
508 ASSERT_TRUE(X509Certificate::GetDEREncoded(
509 diginotar_cert->os_cert_handle(), &der_bytes));
510
511 base::StringPiece spki;
512 ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
513
514 std::string spki_sha1 = base::SHA1HashString(spki.as_string());
515
516 HashValueVector public_keys;
517 HashValue hash(HASH_VALUE_SHA1);
518 ASSERT_EQ(hash.size(), spki_sha1.size());
519 memcpy(hash.data(), spki_sha1.data(), spki_sha1.size());
520 public_keys.push_back(hash);
521
522 EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
523 "Public key not blocked for " << kDigiNotarFilenames[i];
524 }
525 }
526
TEST_F(CertVerifyProcTest,NameConstraintsOk)527 TEST_F(CertVerifyProcTest, NameConstraintsOk) {
528 CertificateList ca_cert_list =
529 CreateCertificateListFromFile(GetTestCertsDirectory(),
530 "root_ca_cert.pem",
531 X509Certificate::FORMAT_AUTO);
532 ASSERT_EQ(1U, ca_cert_list.size());
533 ScopedTestRoot test_root(ca_cert_list[0]);
534
535 CertificateList cert_list = CreateCertificateListFromFile(
536 GetTestCertsDirectory(), "name_constraint_ok.crt",
537 X509Certificate::FORMAT_AUTO);
538 ASSERT_EQ(1U, cert_list.size());
539
540 X509Certificate::OSCertHandles intermediates;
541 scoped_refptr<X509Certificate> leaf =
542 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
543 intermediates);
544
545 int flags = 0;
546 CertVerifyResult verify_result;
547 int error = Verify(leaf.get(),
548 "test.example.com",
549 flags,
550 NULL,
551 empty_cert_list_,
552 &verify_result);
553 EXPECT_EQ(OK, error);
554 EXPECT_EQ(0U, verify_result.cert_status);
555 }
556
557 #if defined(OS_ANDROID)
558 // Disabled because Android isn't filling in SPKI hashes: crbug.com/116838.
559 #define MAYBE_NameConstraintsFailure DISABLED_NameConstraintsFailure
560 #else
561 #define MAYBE_NameConstraintsFailure NameConstraintsFailure
562 #endif
TEST_F(CertVerifyProcTest,MAYBE_NameConstraintsFailure)563 TEST_F(CertVerifyProcTest, MAYBE_NameConstraintsFailure) {
564 CertificateList ca_cert_list =
565 CreateCertificateListFromFile(GetTestCertsDirectory(),
566 "root_ca_cert.pem",
567 X509Certificate::FORMAT_AUTO);
568 ASSERT_EQ(1U, ca_cert_list.size());
569 ScopedTestRoot test_root(ca_cert_list[0]);
570
571 CertificateList cert_list = CreateCertificateListFromFile(
572 GetTestCertsDirectory(), "name_constraint_bad.crt",
573 X509Certificate::FORMAT_AUTO);
574 ASSERT_EQ(1U, cert_list.size());
575
576 X509Certificate::OSCertHandles intermediates;
577 scoped_refptr<X509Certificate> leaf =
578 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
579 intermediates);
580
581 int flags = 0;
582 CertVerifyResult verify_result;
583 int error = Verify(leaf.get(),
584 "test.example.com",
585 flags,
586 NULL,
587 empty_cert_list_,
588 &verify_result);
589 EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
590 EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
591 verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
592 }
593
594 // The certse.pem certificate has been revoked. crbug.com/259723.
TEST_F(CertVerifyProcTest,TestKnownRoot)595 TEST_F(CertVerifyProcTest, TestKnownRoot) {
596 base::FilePath certs_dir = GetTestCertsDirectory();
597 CertificateList certs = CreateCertificateListFromFile(
598 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
599 ASSERT_EQ(2U, certs.size());
600
601 X509Certificate::OSCertHandles intermediates;
602 intermediates.push_back(certs[1]->os_cert_handle());
603
604 scoped_refptr<X509Certificate> cert_chain =
605 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
606 intermediates);
607
608 int flags = 0;
609 CertVerifyResult verify_result;
610 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
611 // against agl. See also PublicKeyHashes.
612 int error = Verify(cert_chain.get(),
613 "satveda.com",
614 flags,
615 NULL,
616 empty_cert_list_,
617 &verify_result);
618 EXPECT_EQ(OK, error);
619 EXPECT_EQ(0U, verify_result.cert_status);
620 EXPECT_TRUE(verify_result.is_issued_by_known_root);
621 }
622
623 // The certse.pem certificate has been revoked. crbug.com/259723.
TEST_F(CertVerifyProcTest,PublicKeyHashes)624 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
625 base::FilePath certs_dir = GetTestCertsDirectory();
626 CertificateList certs = CreateCertificateListFromFile(
627 certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
628 ASSERT_EQ(2U, certs.size());
629
630 X509Certificate::OSCertHandles intermediates;
631 intermediates.push_back(certs[1]->os_cert_handle());
632
633 scoped_refptr<X509Certificate> cert_chain =
634 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
635 intermediates);
636 int flags = 0;
637 CertVerifyResult verify_result;
638
639 // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
640 // against agl. See also TestKnownRoot.
641 int error = Verify(cert_chain.get(),
642 "satveda.com",
643 flags,
644 NULL,
645 empty_cert_list_,
646 &verify_result);
647 EXPECT_EQ(OK, error);
648 EXPECT_EQ(0U, verify_result.cert_status);
649 ASSERT_LE(2U, verify_result.public_key_hashes.size());
650
651 HashValueVector sha1_hashes;
652 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
653 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
654 continue;
655 sha1_hashes.push_back(verify_result.public_key_hashes[i]);
656 }
657 ASSERT_LE(2u, sha1_hashes.size());
658
659 for (size_t i = 0; i < 2; ++i) {
660 EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
661 HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
662 }
663
664 HashValueVector sha256_hashes;
665 for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
666 if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
667 continue;
668 sha256_hashes.push_back(verify_result.public_key_hashes[i]);
669 }
670 ASSERT_LE(2u, sha256_hashes.size());
671
672 for (size_t i = 0; i < 2; ++i) {
673 EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
674 HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
675 }
676 }
677
678 // A regression test for http://crbug.com/70293.
679 // The Key Usage extension in this RSA SSL server certificate does not have
680 // the keyEncipherment bit.
TEST_F(CertVerifyProcTest,InvalidKeyUsage)681 TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
682 base::FilePath certs_dir = GetTestCertsDirectory();
683
684 scoped_refptr<X509Certificate> server_cert =
685 ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
686 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
687
688 int flags = 0;
689 CertVerifyResult verify_result;
690 int error = Verify(server_cert.get(),
691 "jira.aquameta.com",
692 flags,
693 NULL,
694 empty_cert_list_,
695 &verify_result);
696 #if defined(USE_OPENSSL) && !defined(OS_ANDROID)
697 // This certificate has two errors: "invalid key usage" and "untrusted CA".
698 // However, OpenSSL returns only one (the latter), and we can't detect
699 // the other errors.
700 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
701 #else
702 EXPECT_EQ(ERR_CERT_INVALID, error);
703 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
704 #endif
705 // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
706 // from NSS.
707 #if !defined(USE_NSS) && !defined(OS_IOS) && !defined(OS_ANDROID)
708 // The certificate is issued by an unknown CA.
709 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
710 #endif
711 }
712
713 // Basic test for returning the chain in CertVerifyResult. Note that the
714 // returned chain may just be a reflection of the originally supplied chain;
715 // that is, if any errors occur, the default chain returned is an exact copy
716 // of the certificate to be verified. The remaining VerifyReturn* tests are
717 // used to ensure that the actual, verified chain is being returned by
718 // Verify().
TEST_F(CertVerifyProcTest,VerifyReturnChainBasic)719 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
720 base::FilePath certs_dir = GetTestCertsDirectory();
721 CertificateList certs = CreateCertificateListFromFile(
722 certs_dir, "x509_verify_results.chain.pem",
723 X509Certificate::FORMAT_AUTO);
724 ASSERT_EQ(3U, certs.size());
725
726 X509Certificate::OSCertHandles intermediates;
727 intermediates.push_back(certs[1]->os_cert_handle());
728 intermediates.push_back(certs[2]->os_cert_handle());
729
730 ScopedTestRoot scoped_root(certs[2].get());
731
732 scoped_refptr<X509Certificate> google_full_chain =
733 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
734 intermediates);
735 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
736 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
737
738 CertVerifyResult verify_result;
739 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
740 int error = Verify(google_full_chain.get(),
741 "127.0.0.1",
742 0,
743 NULL,
744 empty_cert_list_,
745 &verify_result);
746 EXPECT_EQ(OK, error);
747 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
748
749 EXPECT_NE(google_full_chain, verify_result.verified_cert);
750 EXPECT_TRUE(X509Certificate::IsSameOSCert(
751 google_full_chain->os_cert_handle(),
752 verify_result.verified_cert->os_cert_handle()));
753 const X509Certificate::OSCertHandles& return_intermediates =
754 verify_result.verified_cert->GetIntermediateCertificates();
755 ASSERT_EQ(2U, return_intermediates.size());
756 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
757 certs[1]->os_cert_handle()));
758 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
759 certs[2]->os_cert_handle()));
760 }
761
762 #if defined(OS_ANDROID)
763 // TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android.
764 // Once this is fixed, re-enable this check for android. crbug.com/116838
765 #define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected
766 #else
767 #define MAYBE_IntranetHostsRejected IntranetHostsRejected
768 #endif
769
770 // Test that certificates issued for 'intranet' names (that is, containing no
771 // known public registry controlled domain information) issued by well-known
772 // CAs are flagged appropriately, while certificates that are issued by
773 // internal CAs are not flagged.
TEST_F(CertVerifyProcTest,MAYBE_IntranetHostsRejected)774 TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) {
775 CertificateList cert_list = CreateCertificateListFromFile(
776 GetTestCertsDirectory(), "ok_cert.pem",
777 X509Certificate::FORMAT_AUTO);
778 ASSERT_EQ(1U, cert_list.size());
779 scoped_refptr<X509Certificate> cert(cert_list[0]);
780
781 CertVerifyResult verify_result;
782 int error = 0;
783
784 // Intranet names for public CAs should be flagged:
785 verify_proc_ = new WellKnownCaCertVerifyProc(true);
786 error =
787 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
788 EXPECT_EQ(OK, error);
789 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
790
791 // However, if the CA is not well known, these should not be flagged:
792 verify_proc_ = new WellKnownCaCertVerifyProc(false);
793 error =
794 Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
795 EXPECT_EQ(OK, error);
796 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
797 }
798
799 // Test that the certificate returned in CertVerifyResult is able to reorder
800 // certificates that are not ordered from end-entity to root. While this is
801 // a protocol violation if sent during a TLS handshake, if multiple sources
802 // of intermediate certificates are combined, it's possible that order may
803 // not be maintained.
TEST_F(CertVerifyProcTest,VerifyReturnChainProperlyOrdered)804 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
805 base::FilePath certs_dir = GetTestCertsDirectory();
806 CertificateList certs = CreateCertificateListFromFile(
807 certs_dir, "x509_verify_results.chain.pem",
808 X509Certificate::FORMAT_AUTO);
809 ASSERT_EQ(3U, certs.size());
810
811 // Construct the chain out of order.
812 X509Certificate::OSCertHandles intermediates;
813 intermediates.push_back(certs[2]->os_cert_handle());
814 intermediates.push_back(certs[1]->os_cert_handle());
815
816 ScopedTestRoot scoped_root(certs[2].get());
817
818 scoped_refptr<X509Certificate> google_full_chain =
819 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
820 intermediates);
821 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
822 ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
823
824 CertVerifyResult verify_result;
825 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
826 int error = Verify(google_full_chain.get(),
827 "127.0.0.1",
828 0,
829 NULL,
830 empty_cert_list_,
831 &verify_result);
832 EXPECT_EQ(OK, error);
833 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
834
835 EXPECT_NE(google_full_chain, verify_result.verified_cert);
836 EXPECT_TRUE(X509Certificate::IsSameOSCert(
837 google_full_chain->os_cert_handle(),
838 verify_result.verified_cert->os_cert_handle()));
839 const X509Certificate::OSCertHandles& return_intermediates =
840 verify_result.verified_cert->GetIntermediateCertificates();
841 ASSERT_EQ(2U, return_intermediates.size());
842 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
843 certs[1]->os_cert_handle()));
844 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
845 certs[2]->os_cert_handle()));
846 }
847
848 // Test that Verify() filters out certificates which are not related to
849 // or part of the certificate chain being verified.
TEST_F(CertVerifyProcTest,VerifyReturnChainFiltersUnrelatedCerts)850 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
851 base::FilePath certs_dir = GetTestCertsDirectory();
852 CertificateList certs = CreateCertificateListFromFile(
853 certs_dir, "x509_verify_results.chain.pem",
854 X509Certificate::FORMAT_AUTO);
855 ASSERT_EQ(3U, certs.size());
856 ScopedTestRoot scoped_root(certs[2].get());
857
858 scoped_refptr<X509Certificate> unrelated_certificate =
859 ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
860 scoped_refptr<X509Certificate> unrelated_certificate2 =
861 ImportCertFromFile(certs_dir, "aia-cert.pem");
862 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate);
863 ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2);
864
865 // Interject unrelated certificates into the list of intermediates.
866 X509Certificate::OSCertHandles intermediates;
867 intermediates.push_back(unrelated_certificate->os_cert_handle());
868 intermediates.push_back(certs[1]->os_cert_handle());
869 intermediates.push_back(unrelated_certificate2->os_cert_handle());
870 intermediates.push_back(certs[2]->os_cert_handle());
871
872 scoped_refptr<X509Certificate> google_full_chain =
873 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
874 intermediates);
875 ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
876 ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
877
878 CertVerifyResult verify_result;
879 EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
880 int error = Verify(google_full_chain.get(),
881 "127.0.0.1",
882 0,
883 NULL,
884 empty_cert_list_,
885 &verify_result);
886 EXPECT_EQ(OK, error);
887 ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
888
889 EXPECT_NE(google_full_chain, verify_result.verified_cert);
890 EXPECT_TRUE(X509Certificate::IsSameOSCert(
891 google_full_chain->os_cert_handle(),
892 verify_result.verified_cert->os_cert_handle()));
893 const X509Certificate::OSCertHandles& return_intermediates =
894 verify_result.verified_cert->GetIntermediateCertificates();
895 ASSERT_EQ(2U, return_intermediates.size());
896 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
897 certs[1]->os_cert_handle()));
898 EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
899 certs[2]->os_cert_handle()));
900 }
901
TEST_F(CertVerifyProcTest,AdditionalTrustAnchors)902 TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
903 if (!SupportsAdditionalTrustAnchors()) {
904 LOG(INFO) << "Skipping this test in this platform.";
905 return;
906 }
907
908 // |ca_cert| is the issuer of |cert|.
909 CertificateList ca_cert_list = CreateCertificateListFromFile(
910 GetTestCertsDirectory(), "root_ca_cert.pem",
911 X509Certificate::FORMAT_AUTO);
912 ASSERT_EQ(1U, ca_cert_list.size());
913 scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
914
915 CertificateList cert_list = CreateCertificateListFromFile(
916 GetTestCertsDirectory(), "ok_cert.pem",
917 X509Certificate::FORMAT_AUTO);
918 ASSERT_EQ(1U, cert_list.size());
919 scoped_refptr<X509Certificate> cert(cert_list[0]);
920
921 // Verification of |cert| fails when |ca_cert| is not in the trust anchors
922 // list.
923 int flags = 0;
924 CertVerifyResult verify_result;
925 int error = Verify(
926 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
927 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
928 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
929 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
930
931 // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
932 CertificateList trust_anchors;
933 trust_anchors.push_back(ca_cert);
934 error = Verify(
935 cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
936 EXPECT_EQ(OK, error);
937 EXPECT_EQ(0U, verify_result.cert_status);
938 EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
939
940 // Clearing the |trust_anchors| makes verification fail again (the cache
941 // should be skipped).
942 error = Verify(
943 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
944 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
945 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
946 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
947 }
948
949 #if defined(OS_MACOSX) && !defined(OS_IOS)
950 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
951 // Root can be successfully worked around once Apple completes removing the
952 // older GTE CyberTrust Root from its trusted root store.
953 //
954 // The issue is caused by servers supplying the cross-certified intermediate
955 // (necessary for certain mobile platforms), which OS X does not recognize
956 // as already existing within its trust store.
TEST_F(CertVerifyProcTest,CybertrustGTERoot)957 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
958 CertificateList certs = CreateCertificateListFromFile(
959 GetTestCertsDirectory(),
960 "cybertrust_omniroot_chain.pem",
961 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
962 ASSERT_EQ(2U, certs.size());
963
964 X509Certificate::OSCertHandles intermediates;
965 intermediates.push_back(certs[1]->os_cert_handle());
966
967 scoped_refptr<X509Certificate> cybertrust_basic =
968 X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
969 intermediates);
970 ASSERT_TRUE(cybertrust_basic.get());
971
972 scoped_refptr<X509Certificate> baltimore_root =
973 ImportCertFromFile(GetTestCertsDirectory(),
974 "cybertrust_baltimore_root.pem");
975 ASSERT_TRUE(baltimore_root.get());
976
977 ScopedTestRoot scoped_root(baltimore_root.get());
978
979 // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
980 // simulates Keychain removing support for the GTE CyberTrust Root.
981 TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
982 base::ScopedClosureRunner reset_system_trust(
983 base::Bind(&TestRootCerts::SetAllowSystemTrust,
984 base::Unretained(TestRootCerts::GetInstance()),
985 true));
986
987 // First, make sure a simple certificate chain from
988 // EE -> Public SureServer SV -> Baltimore CyberTrust
989 // works. Only the first two certificates are included in the chain.
990 int flags = 0;
991 CertVerifyResult verify_result;
992 int error = Verify(cybertrust_basic.get(),
993 "cacert.omniroot.com",
994 flags,
995 NULL,
996 empty_cert_list_,
997 &verify_result);
998 EXPECT_EQ(OK, error);
999 EXPECT_EQ(0U, verify_result.cert_status);
1000
1001 // Attempt to verify with the first known cross-certified intermediate
1002 // provided.
1003 scoped_refptr<X509Certificate> baltimore_intermediate_1 =
1004 ImportCertFromFile(GetTestCertsDirectory(),
1005 "cybertrust_baltimore_cross_certified_1.pem");
1006 ASSERT_TRUE(baltimore_intermediate_1.get());
1007
1008 X509Certificate::OSCertHandles intermediate_chain_1 =
1009 cybertrust_basic->GetIntermediateCertificates();
1010 intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
1011
1012 scoped_refptr<X509Certificate> baltimore_chain_1 =
1013 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1014 intermediate_chain_1);
1015 error = Verify(baltimore_chain_1.get(),
1016 "cacert.omniroot.com",
1017 flags,
1018 NULL,
1019 empty_cert_list_,
1020 &verify_result);
1021 EXPECT_EQ(OK, error);
1022 EXPECT_EQ(0U, verify_result.cert_status);
1023
1024 // Attempt to verify with the second known cross-certified intermediate
1025 // provided.
1026 scoped_refptr<X509Certificate> baltimore_intermediate_2 =
1027 ImportCertFromFile(GetTestCertsDirectory(),
1028 "cybertrust_baltimore_cross_certified_2.pem");
1029 ASSERT_TRUE(baltimore_intermediate_2.get());
1030
1031 X509Certificate::OSCertHandles intermediate_chain_2 =
1032 cybertrust_basic->GetIntermediateCertificates();
1033 intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
1034
1035 scoped_refptr<X509Certificate> baltimore_chain_2 =
1036 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1037 intermediate_chain_2);
1038 error = Verify(baltimore_chain_2.get(),
1039 "cacert.omniroot.com",
1040 flags,
1041 NULL,
1042 empty_cert_list_,
1043 &verify_result);
1044 EXPECT_EQ(OK, error);
1045 EXPECT_EQ(0U, verify_result.cert_status);
1046
1047 // Attempt to verify when both a cross-certified intermediate AND
1048 // the legacy GTE root are provided.
1049 scoped_refptr<X509Certificate> cybertrust_root =
1050 ImportCertFromFile(GetTestCertsDirectory(),
1051 "cybertrust_gte_root.pem");
1052 ASSERT_TRUE(cybertrust_root.get());
1053
1054 intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
1055 scoped_refptr<X509Certificate> baltimore_chain_with_root =
1056 X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
1057 intermediate_chain_2);
1058 error = Verify(baltimore_chain_with_root.get(),
1059 "cacert.omniroot.com",
1060 flags,
1061 NULL,
1062 empty_cert_list_,
1063 &verify_result);
1064 EXPECT_EQ(OK, error);
1065 EXPECT_EQ(0U, verify_result.cert_status);
1066
1067 }
1068 #endif
1069
1070 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
1071 static const uint8 kCRLSetLeafSPKIBlocked[] = {
1072 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1073 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1074 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1075 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1076 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1077 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1078 0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1079 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55,
1080 0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51,
1081 0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54,
1082 0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d,
1083 0x7d,
1084 };
1085
1086 static const uint8 kCRLSetLeafSerialBlocked[] = {
1087 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1088 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1089 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1090 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1091 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1092 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1093 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1094 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea,
1095 0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8,
1096 0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f,
1097 0x01, 0x00, 0x00, 0x00, // number of serials
1098 0x01, 0xed, // serial 0xed
1099 };
1100
1101 static const uint8 kCRLSetQUICSerialBlocked[] = {
1102 0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
1103 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
1104 0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
1105 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
1106 0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
1107 0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
1108 0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
1109 0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d,
1110 // Issuer SPKI SHA-256 hash:
1111 0xe4, 0x3a, 0xa3, 0xdb, 0x98, 0x31, 0x61, 0x05, 0xdd, 0x57, 0x6d, 0xc6, 0x2f,
1112 0x71, 0x26, 0xba, 0xdd, 0xf4, 0x98, 0x3e, 0x62, 0x22, 0xf8, 0xf9, 0xe4, 0x18,
1113 0x62, 0x77, 0x79, 0xdb, 0x9b, 0x31,
1114 0x01, 0x00, 0x00, 0x00, // number of serials
1115 0x01, 0x03, // serial 3
1116 };
1117
1118 // Test that CRLSets are effective in making a certificate appear to be
1119 // revoked.
TEST_F(CertVerifyProcTest,CRLSet)1120 TEST_F(CertVerifyProcTest, CRLSet) {
1121 CertificateList ca_cert_list =
1122 CreateCertificateListFromFile(GetTestCertsDirectory(),
1123 "root_ca_cert.pem",
1124 X509Certificate::FORMAT_AUTO);
1125 ASSERT_EQ(1U, ca_cert_list.size());
1126 ScopedTestRoot test_root(ca_cert_list[0]);
1127
1128 CertificateList cert_list = CreateCertificateListFromFile(
1129 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
1130 ASSERT_EQ(1U, cert_list.size());
1131 scoped_refptr<X509Certificate> cert(cert_list[0]);
1132
1133 int flags = 0;
1134 CertVerifyResult verify_result;
1135 int error = Verify(
1136 cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
1137 EXPECT_EQ(OK, error);
1138 EXPECT_EQ(0U, verify_result.cert_status);
1139
1140 // First test blocking by SPKI.
1141 base::StringPiece crl_set_bytes(
1142 reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked),
1143 sizeof(kCRLSetLeafSPKIBlocked));
1144 scoped_refptr<CRLSet> crl_set;
1145 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1146
1147 error = Verify(cert.get(),
1148 "127.0.0.1",
1149 flags,
1150 crl_set.get(),
1151 empty_cert_list_,
1152 &verify_result);
1153 EXPECT_EQ(ERR_CERT_REVOKED, error);
1154
1155 // Second, test revocation by serial number of a cert directly under the
1156 // root.
1157 crl_set_bytes =
1158 base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked),
1159 sizeof(kCRLSetLeafSerialBlocked));
1160 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1161
1162 error = Verify(cert.get(),
1163 "127.0.0.1",
1164 flags,
1165 crl_set.get(),
1166 empty_cert_list_,
1167 &verify_result);
1168 EXPECT_EQ(ERR_CERT_REVOKED, error);
1169 }
1170
TEST_F(CertVerifyProcTest,CRLSetLeafSerial)1171 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
1172 CertificateList ca_cert_list =
1173 CreateCertificateListFromFile(GetTestCertsDirectory(),
1174 "quic_root.crt",
1175 X509Certificate::FORMAT_AUTO);
1176 ASSERT_EQ(1U, ca_cert_list.size());
1177 ScopedTestRoot test_root(ca_cert_list[0]);
1178
1179 CertificateList intermediate_cert_list =
1180 CreateCertificateListFromFile(GetTestCertsDirectory(),
1181 "quic_intermediate.crt",
1182 X509Certificate::FORMAT_AUTO);
1183 ASSERT_EQ(1U, intermediate_cert_list.size());
1184 X509Certificate::OSCertHandles intermediates;
1185 intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
1186
1187 CertificateList cert_list = CreateCertificateListFromFile(
1188 GetTestCertsDirectory(), "quic_test.example.com.crt",
1189 X509Certificate::FORMAT_AUTO);
1190 ASSERT_EQ(1U, cert_list.size());
1191
1192 scoped_refptr<X509Certificate> leaf =
1193 X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
1194 intermediates);
1195
1196 int flags = 0;
1197 CertVerifyResult verify_result;
1198 int error = Verify(leaf.get(),
1199 "test.example.com",
1200 flags,
1201 NULL,
1202 empty_cert_list_,
1203 &verify_result);
1204 EXPECT_EQ(OK, error);
1205 EXPECT_EQ(0U, verify_result.cert_status);
1206
1207 // Test revocation by serial number of a certificate not under the root.
1208 scoped_refptr<CRLSet> crl_set;
1209 base::StringPiece crl_set_bytes =
1210 base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked),
1211 sizeof(kCRLSetQUICSerialBlocked));
1212 ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
1213
1214 error = Verify(leaf.get(),
1215 "test.example.com",
1216 flags,
1217 crl_set.get(),
1218 empty_cert_list_,
1219 &verify_result);
1220 EXPECT_EQ(ERR_CERT_REVOKED, error);
1221 }
1222 #endif
1223
1224 struct WeakDigestTestData {
1225 const char* root_cert_filename;
1226 const char* intermediate_cert_filename;
1227 const char* ee_cert_filename;
1228 bool expected_has_md5;
1229 bool expected_has_md4;
1230 bool expected_has_md2;
1231 };
1232
1233 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1234 // to output the parameter that was passed. Without this, it will simply
1235 // attempt to print out the first twenty bytes of the object, which depending
1236 // on platform and alignment, may result in an invalid read.
PrintTo(const WeakDigestTestData & data,std::ostream * os)1237 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
1238 *os << "root: "
1239 << (data.root_cert_filename ? data.root_cert_filename : "none")
1240 << "; intermediate: " << data.intermediate_cert_filename
1241 << "; end-entity: " << data.ee_cert_filename;
1242 }
1243
1244 class CertVerifyProcWeakDigestTest
1245 : public CertVerifyProcTest,
1246 public testing::WithParamInterface<WeakDigestTestData> {
1247 public:
CertVerifyProcWeakDigestTest()1248 CertVerifyProcWeakDigestTest() {}
~CertVerifyProcWeakDigestTest()1249 virtual ~CertVerifyProcWeakDigestTest() {}
1250 };
1251
TEST_P(CertVerifyProcWeakDigestTest,Verify)1252 TEST_P(CertVerifyProcWeakDigestTest, Verify) {
1253 WeakDigestTestData data = GetParam();
1254 base::FilePath certs_dir = GetTestCertsDirectory();
1255
1256 ScopedTestRoot test_root;
1257 if (data.root_cert_filename) {
1258 scoped_refptr<X509Certificate> root_cert =
1259 ImportCertFromFile(certs_dir, data.root_cert_filename);
1260 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
1261 test_root.Reset(root_cert.get());
1262 }
1263
1264 scoped_refptr<X509Certificate> intermediate_cert =
1265 ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
1266 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
1267 scoped_refptr<X509Certificate> ee_cert =
1268 ImportCertFromFile(certs_dir, data.ee_cert_filename);
1269 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
1270
1271 X509Certificate::OSCertHandles intermediates;
1272 intermediates.push_back(intermediate_cert->os_cert_handle());
1273
1274 scoped_refptr<X509Certificate> ee_chain =
1275 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
1276 intermediates);
1277 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
1278
1279 int flags = 0;
1280 CertVerifyResult verify_result;
1281 int rv = Verify(ee_chain.get(),
1282 "127.0.0.1",
1283 flags,
1284 NULL,
1285 empty_cert_list_,
1286 &verify_result);
1287 EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
1288 EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
1289 EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
1290 EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
1291
1292 // Ensure that MD4 and MD2 are tagged as invalid.
1293 if (data.expected_has_md4 || data.expected_has_md2) {
1294 EXPECT_EQ(CERT_STATUS_INVALID,
1295 verify_result.cert_status & CERT_STATUS_INVALID);
1296 }
1297
1298 // Ensure that MD5 is flagged as weak.
1299 if (data.expected_has_md5) {
1300 EXPECT_EQ(
1301 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
1302 verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
1303 }
1304
1305 // If a root cert is present, then check that the chain was rejected if any
1306 // weak algorithms are present. This is only checked when a root cert is
1307 // present because the error reported for incomplete chains with weak
1308 // algorithms depends on which implementation was used to validate (NSS,
1309 // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
1310 // present (MD2, MD4, MD5).
1311 if (data.root_cert_filename) {
1312 if (data.expected_has_md4 || data.expected_has_md2) {
1313 EXPECT_EQ(ERR_CERT_INVALID, rv);
1314 } else if (data.expected_has_md5) {
1315 EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
1316 } else {
1317 EXPECT_EQ(OK, rv);
1318 }
1319 }
1320 }
1321
1322 // Unlike TEST/TEST_F, which are macros that expand to further macros,
1323 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
1324 // stringizes the arguments. As a result, macros passed as parameters (such as
1325 // prefix or test_case_name) will not be expanded by the preprocessor. To work
1326 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
1327 // pre-processor will expand macros such as MAYBE_test_name before
1328 // instantiating the test.
1329 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
1330 INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
1331
1332 // The signature algorithm of the root CA should not matter.
1333 const WeakDigestTestData kVerifyRootCATestData[] = {
1334 { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
1335 "weak_digest_sha1_ee.pem", false, false, false },
1336 #if defined(USE_OPENSSL) || defined(OS_WIN)
1337 // MD4 is not supported by OS X / NSS
1338 { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
1339 "weak_digest_sha1_ee.pem", false, false, false },
1340 #endif
1341 { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
1342 "weak_digest_sha1_ee.pem", false, false, false },
1343 };
1344 INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
1345 testing::ValuesIn(kVerifyRootCATestData));
1346
1347 // The signature algorithm of intermediates should be properly detected.
1348 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
1349 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1350 "weak_digest_sha1_ee.pem", true, false, false },
1351 #if defined(USE_OPENSSL) || defined(OS_WIN)
1352 // MD4 is not supported by OS X / NSS
1353 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1354 "weak_digest_sha1_ee.pem", false, true, false },
1355 #endif
1356 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1357 "weak_digest_sha1_ee.pem", false, false, true },
1358 };
1359 // Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled.
1360 #if defined(USE_NSS) || defined(OS_IOS)
1361 #define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate
1362 #else
1363 #define MAYBE_VerifyIntermediate VerifyIntermediate
1364 #endif
1365 WRAPPED_INSTANTIATE_TEST_CASE_P(
1366 MAYBE_VerifyIntermediate,
1367 CertVerifyProcWeakDigestTest,
1368 testing::ValuesIn(kVerifyIntermediateCATestData));
1369
1370 // The signature algorithm of end-entity should be properly detected.
1371 const WeakDigestTestData kVerifyEndEntityTestData[] = {
1372 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1373 "weak_digest_md5_ee.pem", true, false, false },
1374 #if defined(USE_OPENSSL) || defined(OS_WIN)
1375 // MD4 is not supported by OS X / NSS
1376 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1377 "weak_digest_md4_ee.pem", false, true, false },
1378 #endif
1379 { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
1380 "weak_digest_md2_ee.pem", false, false, true },
1381 };
1382 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot
1383 // be cleared until NSS is cleanly shutdown, which is not presently supported
1384 // in Chromium.
1385 #if defined(USE_NSS) || defined(OS_IOS)
1386 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
1387 #else
1388 #define MAYBE_VerifyEndEntity VerifyEndEntity
1389 #endif
1390 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
1391 CertVerifyProcWeakDigestTest,
1392 testing::ValuesIn(kVerifyEndEntityTestData));
1393
1394 // Incomplete chains should still report the status of the intermediate.
1395 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
1396 { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
1397 true, false, false },
1398 #if defined(USE_OPENSSL) || defined(OS_WIN)
1399 // MD4 is not supported by OS X / NSS
1400 { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
1401 false, true, false },
1402 #endif
1403 { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
1404 false, false, true },
1405 };
1406 // Disabled on NSS - libpkix does not return constructed chains on error,
1407 // preventing us from detecting/inspecting the verified chain.
1408 #if defined(USE_NSS) || defined(OS_IOS)
1409 #define MAYBE_VerifyIncompleteIntermediate \
1410 DISABLED_VerifyIncompleteIntermediate
1411 #else
1412 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
1413 #endif
1414 WRAPPED_INSTANTIATE_TEST_CASE_P(
1415 MAYBE_VerifyIncompleteIntermediate,
1416 CertVerifyProcWeakDigestTest,
1417 testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
1418
1419 // Incomplete chains should still report the status of the end-entity.
1420 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
1421 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
1422 true, false, false },
1423 #if defined(USE_OPENSSL) || defined(OS_WIN)
1424 // MD4 is not supported by OS X / NSS
1425 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
1426 false, true, false },
1427 #endif
1428 { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
1429 false, false, true },
1430 };
1431 // Disabled on NSS - libpkix does not return constructed chains on error,
1432 // preventing us from detecting/inspecting the verified chain.
1433 #if defined(USE_NSS) || defined(OS_IOS)
1434 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
1435 #else
1436 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
1437 #endif
1438 WRAPPED_INSTANTIATE_TEST_CASE_P(
1439 MAYBE_VerifyIncompleteEndEntity,
1440 CertVerifyProcWeakDigestTest,
1441 testing::ValuesIn(kVerifyIncompleteEETestData));
1442
1443 // Differing algorithms between the intermediate and the EE should still be
1444 // reported.
1445 const WeakDigestTestData kVerifyMixedTestData[] = {
1446 { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
1447 "weak_digest_md2_ee.pem", true, false, true },
1448 { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
1449 "weak_digest_md5_ee.pem", true, false, true },
1450 #if defined(USE_OPENSSL) || defined(OS_WIN)
1451 // MD4 is not supported by OS X / NSS
1452 { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
1453 "weak_digest_md2_ee.pem", false, true, true },
1454 #endif
1455 };
1456 // NSS does not support MD4 and does not enable MD2 by default, making all
1457 // permutations invalid.
1458 #if defined(USE_NSS) || defined(OS_IOS)
1459 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
1460 #else
1461 #define MAYBE_VerifyMixed VerifyMixed
1462 #endif
1463 WRAPPED_INSTANTIATE_TEST_CASE_P(
1464 MAYBE_VerifyMixed,
1465 CertVerifyProcWeakDigestTest,
1466 testing::ValuesIn(kVerifyMixedTestData));
1467
1468 // For the list of valid hostnames, see
1469 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
1470 static const struct CertVerifyProcNameData {
1471 const char* hostname;
1472 bool valid; // Whether or not |hostname| matches a subjectAltName.
1473 } kVerifyNameData[] = {
1474 { "127.0.0.1", false }, // Don't match the common name
1475 { "127.0.0.2", true }, // Matches the iPAddress SAN (IPv4)
1476 { "FE80:0:0:0:0:0:0:1", true }, // Matches the iPAddress SAN (IPv6)
1477 { "[FE80:0:0:0:0:0:0:1]", false }, // Should not match the iPAddress SAN
1478 { "FE80::1", true }, // Compressed form matches the iPAddress SAN (IPv6)
1479 { "::127.0.0.2", false }, // IPv6 mapped form should NOT match iPAddress SAN
1480 { "test.example", true }, // Matches the dNSName SAN
1481 { "test.example.", true }, // Matches the dNSName SAN (trailing . ignored)
1482 { "www.test.example", false }, // Should not match the dNSName SAN
1483 { "test..example", false }, // Should not match the dNSName SAN
1484 { "test.example..", false }, // Should not match the dNSName SAN
1485 { ".test.example.", false }, // Should not match the dNSName SAN
1486 { ".test.example", false }, // Should not match the dNSName SAN
1487 };
1488
1489 // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
1490 // to output the parameter that was passed. Without this, it will simply
1491 // attempt to print out the first twenty bytes of the object, which depending
1492 // on platform and alignment, may result in an invalid read.
PrintTo(const CertVerifyProcNameData & data,std::ostream * os)1493 void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
1494 *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
1495 }
1496
1497 class CertVerifyProcNameTest
1498 : public CertVerifyProcTest,
1499 public testing::WithParamInterface<CertVerifyProcNameData> {
1500 public:
CertVerifyProcNameTest()1501 CertVerifyProcNameTest() {}
~CertVerifyProcNameTest()1502 virtual ~CertVerifyProcNameTest() {}
1503 };
1504
TEST_P(CertVerifyProcNameTest,VerifyCertName)1505 TEST_P(CertVerifyProcNameTest, VerifyCertName) {
1506 CertVerifyProcNameData data = GetParam();
1507
1508 CertificateList cert_list = CreateCertificateListFromFile(
1509 GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
1510 X509Certificate::FORMAT_AUTO);
1511 ASSERT_EQ(1U, cert_list.size());
1512 scoped_refptr<X509Certificate> cert(cert_list[0]);
1513
1514 ScopedTestRoot scoped_root(cert.get());
1515
1516 CertVerifyResult verify_result;
1517 int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
1518 &verify_result);
1519 if (data.valid) {
1520 EXPECT_EQ(OK, error);
1521 EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1522 } else {
1523 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
1524 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
1525 }
1526 }
1527
1528 WRAPPED_INSTANTIATE_TEST_CASE_P(
1529 VerifyName,
1530 CertVerifyProcNameTest,
1531 testing::ValuesIn(kVerifyNameData));
1532
1533 } // namespace net
1534