1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/memory/scoped_ptr.h"
6 #include "crypto/ec_private_key.h"
7 #include "crypto/openssl_util.h"
8 #include "crypto/scoped_openssl_types.h"
9 #include "net/cert/x509_util.h"
10 #include "net/cert/x509_util_openssl.h"
11 #include "testing/gtest/include/gtest/gtest.h"
12
13 namespace net {
14
15 namespace {
16
17 typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
18
19 // Verify that a given certificate was signed with the private key corresponding
20 // to a given public key.
21 // |der_cert| is the DER-encoded X.509 certificate.
22 // |der_spki| is the DER-encoded public key of the signer.
VerifyCertificateSignature(const std::string & der_cert,const std::vector<uint8> & der_spki)23 void VerifyCertificateSignature(const std::string& der_cert,
24 const std::vector<uint8>& der_spki) {
25 const unsigned char* cert_data =
26 reinterpret_cast<const unsigned char*>(der_cert.data());
27 int cert_data_len = static_cast<int>(der_cert.size());
28 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
29 ASSERT_TRUE(cert.get());
30
31 // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier
32 // but there is no OpenSSL API to extract it from an X509 object (!?)
33 // Use X509_verify() directly instead, which takes an EVP_PKEY.
34 const unsigned char* pub_key_data = &der_spki.front();
35 int pub_key_len = static_cast<int>(der_spki.size());
36 crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len));
37 ASSERT_TRUE(pub_key.get());
38
39 // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error.
40 EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get()));
41 }
42
43 // Verify the attributes of a domain-bound certificate.
44 // |domain| is the bound domain name.
45 // |der_cert| is the DER-encoded X.509 certificate.
VerifyChannelID(const std::string & domain,const std::string & der_cert)46 void VerifyChannelID(const std::string& domain,
47 const std::string& der_cert) {
48 // Origin Bound Cert OID.
49 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6";
50 crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free>::Type oid_obj(
51 OBJ_txt2obj(oid_string, 0));
52 ASSERT_TRUE(oid_obj.get());
53
54 const unsigned char* cert_data =
55 reinterpret_cast<const unsigned char*>(der_cert.data());
56 int cert_data_len = static_cast<int>(der_cert.size());
57 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
58 ASSERT_TRUE(cert.get());
59
60 // Find the extension.
61 int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1);
62 ASSERT_NE(-1, ext_pos);
63 X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos);
64 ASSERT_TRUE(ext);
65
66 // Check its value, it must be an ASN.1 IA5STRING
67 // Which means <tag> <length> <domain>, with:
68 // <tag> == 22
69 // <length> is the domain length, a single byte for short forms.
70 // <domain> are the domain characters.
71 // See http://en.wikipedia.org/wiki/X.690
72 ASN1_STRING* value_asn1 = X509_EXTENSION_get_data(ext);
73 ASSERT_TRUE(value_asn1);
74 std::string value_str(reinterpret_cast<const char*>(value_asn1->data),
75 value_asn1->length);
76
77 // Check that the domain size is small enough for short form.
78 ASSERT_LE(domain.size(), 127U) << "Domain is too long!";
79 std::string value_expected;
80 value_expected.resize(2);
81 value_expected[0] = 22;
82 value_expected[1] = static_cast<char>(domain.size());
83 value_expected += domain;
84
85 EXPECT_EQ(value_expected, value_str);
86 }
87
88 } // namespace
89
TEST(X509UtilOpenSSLTest,IsSupportedValidityRange)90 TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) {
91 base::Time now = base::Time::Now();
92 EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now));
93 EXPECT_FALSE(x509_util::IsSupportedValidityRange(
94 now, now - base::TimeDelta::FromSeconds(1)));
95
96 // See x509_util_openssl.cc to see how these were computed.
97 const int64 kDaysFromYear0001ToUnixEpoch = 719162;
98 const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1;
99
100 // When computing too_old / too_late, add one day to account for
101 // possible leap seconds.
102 base::Time too_old = base::Time::UnixEpoch() -
103 base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1);
104
105 base::Time too_late = base::Time::UnixEpoch() +
106 base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1);
107
108 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old));
109 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now));
110
111 EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late));
112 EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late));
113 }
114
TEST(X509UtilOpenSSLTest,CreateChannelIDEC)115 TEST(X509UtilOpenSSLTest, CreateChannelIDEC) {
116 // Create a sample ASCII weborigin.
117 std::string domain = "weborigin.com";
118 base::Time now = base::Time::Now();
119
120 scoped_ptr<crypto::ECPrivateKey> private_key(
121 crypto::ECPrivateKey::Create());
122 std::string der_cert;
123 ASSERT_TRUE(
124 x509_util::CreateChannelIDEC(private_key.get(),
125 x509_util::DIGEST_SHA1,
126 domain,
127 1,
128 now,
129 now + base::TimeDelta::FromDays(1),
130 &der_cert));
131
132 VerifyChannelID(domain, der_cert);
133
134 // signature_verifier_win and signature_verifier_mac can't handle EC certs.
135 std::vector<uint8> spki;
136 ASSERT_TRUE(private_key->ExportPublicKey(&spki));
137 VerifyCertificateSignature(der_cert, spki);
138 }
139
140 } // namespace net
141