• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/multi_threaded_cert_verifier.h"
6 
7 #include "base/bind.h"
8 #include "base/files/file_path.h"
9 #include "base/format_macros.h"
10 #include "base/strings/stringprintf.h"
11 #include "net/base/net_errors.h"
12 #include "net/base/net_log.h"
13 #include "net/base/test_completion_callback.h"
14 #include "net/base/test_data_directory.h"
15 #include "net/cert/cert_trust_anchor_provider.h"
16 #include "net/cert/cert_verify_proc.h"
17 #include "net/cert/cert_verify_result.h"
18 #include "net/cert/x509_certificate.h"
19 #include "net/test/cert_test_util.h"
20 #include "testing/gmock/include/gmock/gmock.h"
21 #include "testing/gtest/include/gtest/gtest.h"
22 
23 using testing::Mock;
24 using testing::ReturnRef;
25 
26 namespace net {
27 
28 namespace {
29 
FailTest(int)30 void FailTest(int /* result */) {
31   FAIL();
32 }
33 
34 class MockCertVerifyProc : public CertVerifyProc {
35  public:
MockCertVerifyProc()36   MockCertVerifyProc() {}
37 
38  private:
~MockCertVerifyProc()39   virtual ~MockCertVerifyProc() {}
40 
41   // CertVerifyProc implementation
SupportsAdditionalTrustAnchors() const42   virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE {
43     return false;
44   }
45 
VerifyInternal(X509Certificate * cert,const std::string & hostname,int flags,CRLSet * crl_set,const CertificateList & additional_trust_anchors,CertVerifyResult * verify_result)46   virtual int VerifyInternal(X509Certificate* cert,
47                              const std::string& hostname,
48                              int flags,
49                              CRLSet* crl_set,
50                              const CertificateList& additional_trust_anchors,
51                              CertVerifyResult* verify_result) OVERRIDE {
52     verify_result->Reset();
53     verify_result->verified_cert = cert;
54     verify_result->cert_status = CERT_STATUS_COMMON_NAME_INVALID;
55     return ERR_CERT_COMMON_NAME_INVALID;
56   }
57 };
58 
59 class MockCertTrustAnchorProvider : public CertTrustAnchorProvider {
60  public:
MockCertTrustAnchorProvider()61   MockCertTrustAnchorProvider() {}
~MockCertTrustAnchorProvider()62   virtual ~MockCertTrustAnchorProvider() {}
63 
64   MOCK_METHOD0(GetAdditionalTrustAnchors, const CertificateList&());
65 };
66 
67 }  // namespace
68 
69 class MultiThreadedCertVerifierTest : public ::testing::Test {
70  public:
MultiThreadedCertVerifierTest()71   MultiThreadedCertVerifierTest() : verifier_(new MockCertVerifyProc()) {}
~MultiThreadedCertVerifierTest()72   virtual ~MultiThreadedCertVerifierTest() {}
73 
74  protected:
75   MultiThreadedCertVerifier verifier_;
76 };
77 
TEST_F(MultiThreadedCertVerifierTest,CacheHit)78 TEST_F(MultiThreadedCertVerifierTest, CacheHit) {
79   base::FilePath certs_dir = GetTestCertsDirectory();
80   scoped_refptr<X509Certificate> test_cert(
81       ImportCertFromFile(certs_dir, "ok_cert.pem"));
82   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
83 
84   int error;
85   CertVerifyResult verify_result;
86   TestCompletionCallback callback;
87   CertVerifier::RequestHandle request_handle;
88 
89   error = verifier_.Verify(test_cert.get(),
90                            "www.example.com",
91                            0,
92                            NULL,
93                            &verify_result,
94                            callback.callback(),
95                            &request_handle,
96                            BoundNetLog());
97   ASSERT_EQ(ERR_IO_PENDING, error);
98   EXPECT_TRUE(request_handle);
99   error = callback.WaitForResult();
100   ASSERT_TRUE(IsCertificateError(error));
101   ASSERT_EQ(1u, verifier_.requests());
102   ASSERT_EQ(0u, verifier_.cache_hits());
103   ASSERT_EQ(0u, verifier_.inflight_joins());
104   ASSERT_EQ(1u, verifier_.GetCacheSize());
105 
106   error = verifier_.Verify(test_cert.get(),
107                            "www.example.com",
108                            0,
109                            NULL,
110                            &verify_result,
111                            callback.callback(),
112                            &request_handle,
113                            BoundNetLog());
114   // Synchronous completion.
115   ASSERT_NE(ERR_IO_PENDING, error);
116   ASSERT_TRUE(IsCertificateError(error));
117   ASSERT_TRUE(request_handle == NULL);
118   ASSERT_EQ(2u, verifier_.requests());
119   ASSERT_EQ(1u, verifier_.cache_hits());
120   ASSERT_EQ(0u, verifier_.inflight_joins());
121   ASSERT_EQ(1u, verifier_.GetCacheSize());
122 }
123 
124 // Tests the same server certificate with different intermediate CA
125 // certificates.  These should be treated as different certificate chains even
126 // though the two X509Certificate objects contain the same server certificate.
TEST_F(MultiThreadedCertVerifierTest,DifferentCACerts)127 TEST_F(MultiThreadedCertVerifierTest, DifferentCACerts) {
128   base::FilePath certs_dir = GetTestCertsDirectory();
129 
130   scoped_refptr<X509Certificate> server_cert =
131       ImportCertFromFile(certs_dir, "salesforce_com_test.pem");
132   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
133 
134   scoped_refptr<X509Certificate> intermediate_cert1 =
135       ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem");
136   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1);
137 
138   scoped_refptr<X509Certificate> intermediate_cert2 =
139       ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem");
140   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert2);
141 
142   X509Certificate::OSCertHandles intermediates;
143   intermediates.push_back(intermediate_cert1->os_cert_handle());
144   scoped_refptr<X509Certificate> cert_chain1 =
145       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
146                                         intermediates);
147 
148   intermediates.clear();
149   intermediates.push_back(intermediate_cert2->os_cert_handle());
150   scoped_refptr<X509Certificate> cert_chain2 =
151       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
152                                         intermediates);
153 
154   int error;
155   CertVerifyResult verify_result;
156   TestCompletionCallback callback;
157   CertVerifier::RequestHandle request_handle;
158 
159   error = verifier_.Verify(cert_chain1.get(),
160                            "www.example.com",
161                            0,
162                            NULL,
163                            &verify_result,
164                            callback.callback(),
165                            &request_handle,
166                            BoundNetLog());
167   ASSERT_EQ(ERR_IO_PENDING, error);
168   EXPECT_TRUE(request_handle);
169   error = callback.WaitForResult();
170   ASSERT_TRUE(IsCertificateError(error));
171   ASSERT_EQ(1u, verifier_.requests());
172   ASSERT_EQ(0u, verifier_.cache_hits());
173   ASSERT_EQ(0u, verifier_.inflight_joins());
174   ASSERT_EQ(1u, verifier_.GetCacheSize());
175 
176   error = verifier_.Verify(cert_chain2.get(),
177                            "www.example.com",
178                            0,
179                            NULL,
180                            &verify_result,
181                            callback.callback(),
182                            &request_handle,
183                            BoundNetLog());
184   ASSERT_EQ(ERR_IO_PENDING, error);
185   EXPECT_TRUE(request_handle);
186   error = callback.WaitForResult();
187   ASSERT_TRUE(IsCertificateError(error));
188   ASSERT_EQ(2u, verifier_.requests());
189   ASSERT_EQ(0u, verifier_.cache_hits());
190   ASSERT_EQ(0u, verifier_.inflight_joins());
191   ASSERT_EQ(2u, verifier_.GetCacheSize());
192 }
193 
194 // Tests an inflight join.
TEST_F(MultiThreadedCertVerifierTest,InflightJoin)195 TEST_F(MultiThreadedCertVerifierTest, InflightJoin) {
196   base::FilePath certs_dir = GetTestCertsDirectory();
197   scoped_refptr<X509Certificate> test_cert(
198       ImportCertFromFile(certs_dir, "ok_cert.pem"));
199   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
200 
201   int error;
202   CertVerifyResult verify_result;
203   TestCompletionCallback callback;
204   CertVerifier::RequestHandle request_handle;
205   CertVerifyResult verify_result2;
206   TestCompletionCallback callback2;
207   CertVerifier::RequestHandle request_handle2;
208 
209   error = verifier_.Verify(test_cert.get(),
210                            "www.example.com",
211                            0,
212                            NULL,
213                            &verify_result,
214                            callback.callback(),
215                            &request_handle,
216                            BoundNetLog());
217   ASSERT_EQ(ERR_IO_PENDING, error);
218   EXPECT_TRUE(request_handle);
219   error = verifier_.Verify(test_cert.get(),
220                            "www.example.com",
221                            0,
222                            NULL,
223                            &verify_result2,
224                            callback2.callback(),
225                            &request_handle2,
226                            BoundNetLog());
227   EXPECT_EQ(ERR_IO_PENDING, error);
228   EXPECT_TRUE(request_handle2 != NULL);
229   error = callback.WaitForResult();
230   EXPECT_TRUE(IsCertificateError(error));
231   error = callback2.WaitForResult();
232   ASSERT_TRUE(IsCertificateError(error));
233   ASSERT_EQ(2u, verifier_.requests());
234   ASSERT_EQ(0u, verifier_.cache_hits());
235   ASSERT_EQ(1u, verifier_.inflight_joins());
236 }
237 
238 // Tests that the callback of a canceled request is never made.
TEST_F(MultiThreadedCertVerifierTest,CancelRequest)239 TEST_F(MultiThreadedCertVerifierTest, CancelRequest) {
240   base::FilePath certs_dir = GetTestCertsDirectory();
241   scoped_refptr<X509Certificate> test_cert(
242       ImportCertFromFile(certs_dir, "ok_cert.pem"));
243   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
244 
245   int error;
246   CertVerifyResult verify_result;
247   CertVerifier::RequestHandle request_handle;
248 
249   error = verifier_.Verify(test_cert.get(),
250                            "www.example.com",
251                            0,
252                            NULL,
253                            &verify_result,
254                            base::Bind(&FailTest),
255                            &request_handle,
256                            BoundNetLog());
257   ASSERT_EQ(ERR_IO_PENDING, error);
258   ASSERT_TRUE(request_handle != NULL);
259   verifier_.CancelRequest(request_handle);
260 
261   // Issue a few more requests to the worker pool and wait for their
262   // completion, so that the task of the canceled request (which runs on a
263   // worker thread) is likely to complete by the end of this test.
264   TestCompletionCallback callback;
265   for (int i = 0; i < 5; ++i) {
266     error = verifier_.Verify(test_cert.get(),
267                              "www2.example.com",
268                              0,
269                              NULL,
270                              &verify_result,
271                              callback.callback(),
272                              &request_handle,
273                              BoundNetLog());
274     ASSERT_EQ(ERR_IO_PENDING, error);
275     EXPECT_TRUE(request_handle);
276     error = callback.WaitForResult();
277     verifier_.ClearCache();
278   }
279 }
280 
281 // Tests that a canceled request is not leaked.
282 #if !defined(LEAK_SANITIZER)
283 #define MAYBE_CancelRequestThenQuit CancelRequestThenQuit
284 #else
285 // See PR303886. LeakSanitizer flags a leak here.
286 #define MAYBE_CancelRequestThenQuit DISABLED_CancelRequestThenQuit
287 #endif
TEST_F(MultiThreadedCertVerifierTest,MAYBE_CancelRequestThenQuit)288 TEST_F(MultiThreadedCertVerifierTest, MAYBE_CancelRequestThenQuit) {
289   base::FilePath certs_dir = GetTestCertsDirectory();
290   scoped_refptr<X509Certificate> test_cert(
291       ImportCertFromFile(certs_dir, "ok_cert.pem"));
292   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
293 
294   int error;
295   CertVerifyResult verify_result;
296   TestCompletionCallback callback;
297   CertVerifier::RequestHandle request_handle;
298 
299   error = verifier_.Verify(test_cert.get(),
300                            "www.example.com",
301                            0,
302                            NULL,
303                            &verify_result,
304                            callback.callback(),
305                            &request_handle,
306                            BoundNetLog());
307   ASSERT_EQ(ERR_IO_PENDING, error);
308   EXPECT_TRUE(request_handle);
309   verifier_.CancelRequest(request_handle);
310   // Destroy |verifier| by going out of scope.
311 }
312 
TEST_F(MultiThreadedCertVerifierTest,RequestParamsComparators)313 TEST_F(MultiThreadedCertVerifierTest, RequestParamsComparators) {
314   SHA1HashValue a_key;
315   memset(a_key.data, 'a', sizeof(a_key.data));
316 
317   SHA1HashValue z_key;
318   memset(z_key.data, 'z', sizeof(z_key.data));
319 
320   const CertificateList empty_list;
321   CertificateList test_list;
322   test_list.push_back(
323       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
324 
325   struct {
326     // Keys to test
327     MultiThreadedCertVerifier::RequestParams key1;
328     MultiThreadedCertVerifier::RequestParams key2;
329 
330     // Expectation:
331     // -1 means key1 is less than key2
332     //  0 means key1 equals key2
333     //  1 means key1 is greater than key2
334     int expected_result;
335   } tests[] = {
336     {  // Test for basic equivalence.
337       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
338                                                0, test_list),
339       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
340                                                0, test_list),
341       0,
342     },
343     {  // Test that different certificates but with the same CA and for
344        // the same host are different validation keys.
345       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
346                                                0, test_list),
347       MultiThreadedCertVerifier::RequestParams(z_key, a_key, "www.example.test",
348                                                0, test_list),
349       -1,
350     },
351     {  // Test that the same EE certificate for the same host, but with
352        // different chains are different validation keys.
353       MultiThreadedCertVerifier::RequestParams(a_key, z_key, "www.example.test",
354                                                0, test_list),
355       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
356                                                0, test_list),
357       1,
358     },
359     {  // The same certificate, with the same chain, but for different
360        // hosts are different validation keys.
361       MultiThreadedCertVerifier::RequestParams(a_key, a_key,
362                                                "www1.example.test", 0,
363                                                test_list),
364       MultiThreadedCertVerifier::RequestParams(a_key, a_key,
365                                                "www2.example.test", 0,
366                                                test_list),
367       -1,
368     },
369     {  // The same certificate, chain, and host, but with different flags
370        // are different validation keys.
371       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
372                                                CertVerifier::VERIFY_EV_CERT,
373                                                test_list),
374       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
375                                                0, test_list),
376       1,
377     },
378     {  // Different additional_trust_anchors.
379       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
380                                                0, empty_list),
381       MultiThreadedCertVerifier::RequestParams(a_key, a_key, "www.example.test",
382                                                0, test_list),
383       -1,
384     },
385   };
386   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) {
387     SCOPED_TRACE(base::StringPrintf("Test[%" PRIuS "]", i));
388 
389     const MultiThreadedCertVerifier::RequestParams& key1 = tests[i].key1;
390     const MultiThreadedCertVerifier::RequestParams& key2 = tests[i].key2;
391 
392     switch (tests[i].expected_result) {
393       case -1:
394         EXPECT_TRUE(key1 < key2);
395         EXPECT_FALSE(key2 < key1);
396         break;
397       case 0:
398         EXPECT_FALSE(key1 < key2);
399         EXPECT_FALSE(key2 < key1);
400         break;
401       case 1:
402         EXPECT_FALSE(key1 < key2);
403         EXPECT_TRUE(key2 < key1);
404         break;
405       default:
406         FAIL() << "Invalid expectation. Can be only -1, 0, 1";
407     }
408   }
409 }
410 
TEST_F(MultiThreadedCertVerifierTest,CertTrustAnchorProvider)411 TEST_F(MultiThreadedCertVerifierTest, CertTrustAnchorProvider) {
412   MockCertTrustAnchorProvider trust_provider;
413   verifier_.SetCertTrustAnchorProvider(&trust_provider);
414 
415   scoped_refptr<X509Certificate> test_cert(
416       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
417   ASSERT_TRUE(test_cert.get());
418 
419   const CertificateList empty_cert_list;
420   CertificateList cert_list;
421   cert_list.push_back(test_cert);
422 
423   // Check that Verify() asks the |trust_provider| for the current list of
424   // additional trust anchors.
425   int error;
426   CertVerifyResult verify_result;
427   TestCompletionCallback callback;
428   CertVerifier::RequestHandle request_handle;
429   EXPECT_CALL(trust_provider, GetAdditionalTrustAnchors())
430       .WillOnce(ReturnRef(empty_cert_list));
431   error = verifier_.Verify(test_cert.get(),
432                            "www.example.com",
433                            0,
434                            NULL,
435                            &verify_result,
436                            callback.callback(),
437                            &request_handle,
438                            BoundNetLog());
439   Mock::VerifyAndClearExpectations(&trust_provider);
440   ASSERT_EQ(ERR_IO_PENDING, error);
441   EXPECT_TRUE(request_handle);
442   error = callback.WaitForResult();
443   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
444   ASSERT_EQ(1u, verifier_.requests());
445   ASSERT_EQ(0u, verifier_.cache_hits());
446 
447   // The next Verify() uses the cached result.
448   EXPECT_CALL(trust_provider, GetAdditionalTrustAnchors())
449       .WillOnce(ReturnRef(empty_cert_list));
450   error = verifier_.Verify(test_cert.get(),
451                            "www.example.com",
452                            0,
453                            NULL,
454                            &verify_result,
455                            callback.callback(),
456                            &request_handle,
457                            BoundNetLog());
458   Mock::VerifyAndClearExpectations(&trust_provider);
459   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
460   EXPECT_FALSE(request_handle);
461   ASSERT_EQ(2u, verifier_.requests());
462   ASSERT_EQ(1u, verifier_.cache_hits());
463 
464   // Another Verify() for the same certificate but with a different list of
465   // trust anchors will not reuse the cache.
466   EXPECT_CALL(trust_provider, GetAdditionalTrustAnchors())
467       .WillOnce(ReturnRef(cert_list));
468   error = verifier_.Verify(test_cert.get(),
469                            "www.example.com",
470                            0,
471                            NULL,
472                            &verify_result,
473                            callback.callback(),
474                            &request_handle,
475                            BoundNetLog());
476   Mock::VerifyAndClearExpectations(&trust_provider);
477   ASSERT_EQ(ERR_IO_PENDING, error);
478   EXPECT_TRUE(request_handle);
479   error = callback.WaitForResult();
480   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
481   ASSERT_EQ(3u, verifier_.requests());
482   ASSERT_EQ(1u, verifier_.cache_hits());
483 }
484 
485 }  // namespace net
486