// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/x509_certificate.h" #include #include #include "base/files/file_path.h" #include "base/pickle.h" #include "base/sha1.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "crypto/rsa_private_key.h" #include "net/base/net_errors.h" #include "net/cert/asn1_util.h" #include "net/cert/x509_util_nss.h" #include "net/test/cert_test_util.h" #include "net/test/test_certificate_data.h" #include "net/test/test_data_directory.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/url_features.h" #if defined(USE_NSS_CERTS) #include #endif using base::HexEncode; using base::Time; namespace net { // Certificates for test data. They're obtained with: // // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der // // For fingerprint // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der // For valid_start, valid_expiry // $ openssl x509 -inform DER -text -noout < /tmp/host.der | // grep -A 2 Validity // $ date +%s -d '' // Google's cert. SHA256HashValue google_fingerprint = { {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; // The fingerprint of the Google certificate used in the parsing tests, // which is newer than the one included in the x509_certificate_data.h SHA256HashValue google_parse_fingerprint = { {0xf6, 0x41, 0xc3, 0x6c, 0xfe, 0xf4, 0x9b, 0xc0, 0x71, 0x35, 0x9e, 0xcf, 0x88, 0xee, 0xd9, 0x31, 0x7b, 0x73, 0x8b, 0x59, 0x89, 0x41, 0x6a, 0xd4, 0x01, 0x72, 0x0c, 0x0a, 0x4e, 0x2e, 0x63, 0x52}}; // The fingerprint for the Thawte SGC certificate SHA256HashValue thawte_parse_fingerprint = { {0x10, 0x85, 0xa6, 0xf4, 0x54, 0xd0, 0xc9, 0x11, 0x98, 0xfd, 0xda, 0xb1, 0x1a, 0x31, 0xc7, 0x16, 0xd5, 0xdc, 0xd6, 0x8d, 0xf9, 0x1c, 0x03, 0x9c, 0xe1, 0x8d, 0xca, 0x9b, 0xeb, 0x3c, 0xde, 0x3d}}; // Dec 18 00:00:00 2009 GMT const double kGoogleParseValidFrom = 1261094400; // Dec 18 23:59:59 2011 GMT const double kGoogleParseValidTo = 1324252799; void CheckGoogleCert(const scoped_refptr& google_cert, const SHA256HashValue& expected_fingerprint, double valid_from, double valid_to) { ASSERT_NE(static_cast(NULL), google_cert.get()); const CertPrincipal& subject = google_cert->subject(); EXPECT_EQ("www.google.com", subject.common_name); EXPECT_EQ("Mountain View", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); EXPECT_EQ(0U, subject.street_addresses.size()); ASSERT_EQ(1U, subject.organization_names.size()); EXPECT_EQ("Google Inc", subject.organization_names[0]); EXPECT_EQ(0U, subject.organization_unit_names.size()); EXPECT_EQ(0U, subject.domain_components.size()); const CertPrincipal& issuer = google_cert->issuer(); EXPECT_EQ("Thawte SGC CA", issuer.common_name); EXPECT_EQ("", issuer.locality_name); EXPECT_EQ("", issuer.state_or_province_name); EXPECT_EQ("ZA", issuer.country_name); EXPECT_EQ(0U, issuer.street_addresses.size()); ASSERT_EQ(1U, issuer.organization_names.size()); EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]); EXPECT_EQ(0U, issuer.organization_unit_names.size()); EXPECT_EQ(0U, issuer.domain_components.size()); // Use DoubleT because its epoch is the same on all platforms const Time& valid_start = google_cert->valid_start(); EXPECT_EQ(valid_from, valid_start.ToDoubleT()); const Time& valid_expiry = google_cert->valid_expiry(); EXPECT_EQ(valid_to, valid_expiry.ToDoubleT()); EXPECT_EQ(expected_fingerprint, X509Certificate::CalculateFingerprint256( google_cert->os_cert_handle())); std::vector dns_names; google_cert->GetDNSNames(&dns_names); ASSERT_EQ(1U, dns_names.size()); EXPECT_EQ("www.google.com", dns_names[0]); } TEST(X509CertificateTest, GoogleCertParsing) { scoped_refptr google_cert( X509Certificate::CreateFromBytes( reinterpret_cast(google_der), sizeof(google_der))); CheckGoogleCert(google_cert, google_fingerprint, 1238192407, // Mar 27 22:20:07 2009 GMT 1269728407); // Mar 27 22:20:07 2010 GMT } TEST(X509CertificateTest, WebkitCertParsing) { scoped_refptr webkit_cert(X509Certificate::CreateFromBytes( reinterpret_cast(webkit_der), sizeof(webkit_der))); ASSERT_NE(static_cast(NULL), webkit_cert.get()); const CertPrincipal& subject = webkit_cert->subject(); EXPECT_EQ("Cupertino", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); EXPECT_EQ(0U, subject.street_addresses.size()); ASSERT_EQ(1U, subject.organization_names.size()); EXPECT_EQ("Apple Inc.", subject.organization_names[0]); ASSERT_EQ(1U, subject.organization_unit_names.size()); EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]); EXPECT_EQ(0U, subject.domain_components.size()); const CertPrincipal& issuer = webkit_cert->issuer(); EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name); EXPECT_EQ("Scottsdale", issuer.locality_name); EXPECT_EQ("Arizona", issuer.state_or_province_name); EXPECT_EQ("US", issuer.country_name); EXPECT_EQ(0U, issuer.street_addresses.size()); ASSERT_EQ(1U, issuer.organization_names.size()); EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]); ASSERT_EQ(1U, issuer.organization_unit_names.size()); EXPECT_EQ("http://certificates.godaddy.com/repository", issuer.organization_unit_names[0]); EXPECT_EQ(0U, issuer.domain_components.size()); // Use DoubleT because its epoch is the same on all platforms const Time& valid_start = webkit_cert->valid_start(); EXPECT_EQ(1205883319, valid_start.ToDoubleT()); // Mar 18 23:35:19 2008 GMT const Time& valid_expiry = webkit_cert->valid_expiry(); EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT std::vector dns_names; webkit_cert->GetDNSNames(&dns_names); ASSERT_EQ(2U, dns_names.size()); EXPECT_EQ("*.webkit.org", dns_names[0]); EXPECT_EQ("webkit.org", dns_names[1]); // Test that the wildcard cert matches properly. EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org", false)); EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org", false)); EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org", false)); EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com", false)); EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com", false)); } TEST(X509CertificateTest, ThawteCertParsing) { scoped_refptr thawte_cert(X509Certificate::CreateFromBytes( reinterpret_cast(thawte_der), sizeof(thawte_der))); ASSERT_NE(static_cast(NULL), thawte_cert.get()); const CertPrincipal& subject = thawte_cert->subject(); EXPECT_EQ("www.thawte.com", subject.common_name); EXPECT_EQ("Mountain View", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); EXPECT_EQ(0U, subject.street_addresses.size()); ASSERT_EQ(1U, subject.organization_names.size()); EXPECT_EQ("Thawte Inc", subject.organization_names[0]); EXPECT_EQ(0U, subject.organization_unit_names.size()); EXPECT_EQ(0U, subject.domain_components.size()); const CertPrincipal& issuer = thawte_cert->issuer(); EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name); EXPECT_EQ("", issuer.locality_name); EXPECT_EQ("", issuer.state_or_province_name); EXPECT_EQ("US", issuer.country_name); EXPECT_EQ(0U, issuer.street_addresses.size()); ASSERT_EQ(1U, issuer.organization_names.size()); EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]); ASSERT_EQ(1U, issuer.organization_unit_names.size()); EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06", issuer.organization_unit_names[0]); EXPECT_EQ(0U, issuer.domain_components.size()); // Use DoubleT because its epoch is the same on all platforms const Time& valid_start = thawte_cert->valid_start(); EXPECT_EQ(1227052800, valid_start.ToDoubleT()); // Nov 19 00:00:00 2008 GMT const Time& valid_expiry = thawte_cert->valid_expiry(); EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT std::vector dns_names; thawte_cert->GetDNSNames(&dns_names); ASSERT_EQ(1U, dns_names.size()); EXPECT_EQ("www.thawte.com", dns_names[0]); } // Test that all desired AttributeAndValue pairs can be extracted when only // a single RelativeDistinguishedName is present. "Normally" there is only // one AVA per RDN, but some CAs place all AVAs within a single RDN. // This is a regression test for http://crbug.com/101009 TEST(X509CertificateTest, MultivalueRDN) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr multivalue_rdn_cert = ImportCertFromFile(certs_dir, "multivalue_rdn.pem"); ASSERT_NE(static_cast(NULL), multivalue_rdn_cert.get()); const CertPrincipal& subject = multivalue_rdn_cert->subject(); EXPECT_EQ("Multivalue RDN Test", subject.common_name); EXPECT_EQ("", subject.locality_name); EXPECT_EQ("", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); EXPECT_EQ(0U, subject.street_addresses.size()); ASSERT_EQ(1U, subject.organization_names.size()); EXPECT_EQ("Chromium", subject.organization_names[0]); ASSERT_EQ(1U, subject.organization_unit_names.size()); EXPECT_EQ("Chromium net_unittests", subject.organization_unit_names[0]); ASSERT_EQ(1U, subject.domain_components.size()); EXPECT_EQ("Chromium", subject.domain_components[0]); } // Test that characters which would normally be escaped in the string form, // such as '=' or '"', are not escaped when parsed as individual components. // This is a regression test for http://crbug.com/102839 TEST(X509CertificateTest, UnescapedSpecialCharacters) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr unescaped_cert = ImportCertFromFile(certs_dir, "unescaped.pem"); ASSERT_NE(static_cast(NULL), unescaped_cert.get()); const CertPrincipal& subject = unescaped_cert->subject(); EXPECT_EQ("127.0.0.1", subject.common_name); EXPECT_EQ("Mountain View", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); ASSERT_EQ(1U, subject.street_addresses.size()); EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]); ASSERT_EQ(1U, subject.organization_names.size()); EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]); ASSERT_EQ(2U, subject.organization_unit_names.size()); EXPECT_EQ("net_unittests", subject.organization_unit_names[0]); EXPECT_EQ("Chromium", subject.organization_unit_names[1]); EXPECT_EQ(0U, subject.domain_components.size()); } TEST(X509CertificateTest, TeletexStringIsLatin1) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "subject_t61string.pem"); ASSERT_TRUE(cert); const CertPrincipal& subject = cert->subject(); EXPECT_EQ( " !\"#$%&'()*+,-./" "0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" "abcdefghijklmnopqrstuvwxyz{|}~" " ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæç" "èéêëìíîïðñòóôõö÷øùúûüýþÿ", subject.organization_names[0]); } TEST(X509CertificateTest, TeletexStringControlChars) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "subject_t61string_1-32.pem"); ASSERT_TRUE(cert); const CertPrincipal& subject = cert->subject(); EXPECT_EQ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12" "\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20", subject.organization_names[0]); } TEST(X509CertificateTest, TeletexStringIsLatin1OrCp1252) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "subject_t61string_126-160.pem"); ASSERT_TRUE(cert); const CertPrincipal& subject = cert->subject(); #if (defined(OS_MACOSX) && !defined(OS_IOS)) || \ (BUILDFLAG(USE_BYTE_CERTS) && !BUILDFLAG(USE_PLATFORM_ICU_ALTERNATIVES)) // Mac: TeletexString is decoded as CP1252. // use_byte_certs: ICU ISO-8859-1 seems to be CP1252 actually. // (but with use_platform_icu_alternatives it's not.) EXPECT_EQ( "~\x7F\xE2\x82\xAC\xC2\x81\xE2\x80\x9A\xC6\x92\xE2\x80\x9E\xE2\x80\xA6" "\xE2\x80\xA0\xE2\x80\xA1\xCB\x86\xE2\x80\xB0\xC5\xA0\xE2\x80\xB9\xC5\x92" "\xC2\x8D\xC5\xBD\xC2\x8F\xC2\x90\xE2\x80\x98\xE2\x80\x99\xE2\x80\x9C\xE2" "\x80\x9D\xE2\x80\xA2\xE2\x80\x93\xE2\x80\x94\xCB\x9C\xE2\x84\xA2\xC5\xA1" "\xE2\x80\xBA\xC5\x93\xC2\x9D\xC5\xBE\xC5\xB8\xC2\xA0", subject.organization_names[0]); #else // NSS, Win, Android, iOS: TeletexString is decoded as latin1, so 127-160 get // decoded to equivalent unicode control chars. EXPECT_EQ( "~\x7F\xC2\x80\xC2\x81\xC2\x82\xC2\x83\xC2\x84\xC2\x85\xC2\x86\xC2\x87" "\xC2\x88\xC2\x89\xC2\x8A\xC2\x8B\xC2\x8C\xC2\x8D\xC2\x8E\xC2\x8F\xC2\x90" "\xC2\x91\xC2\x92\xC2\x93\xC2\x94\xC2\x95\xC2\x96\xC2\x97\xC2\x98\xC2\x99" "\xC2\x9A\xC2\x9B\xC2\x9C\xC2\x9D\xC2\x9E\xC2\x9F\xC2\xA0", subject.organization_names[0]); #endif } TEST(X509CertificateTest, TeletexStringIsNotARealT61String) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "subject_t61string_actual.pem"); ASSERT_TRUE(cert); const CertPrincipal& subject = cert->subject(); // If TeletexStrings were actually parsed according to T.61, this would be // "あ". (Probably. Not verified against a real implementation.) EXPECT_EQ("\x1B$@$\"", subject.organization_names[0]); } TEST(X509CertificateTest, SerialNumbers) { scoped_refptr google_cert( X509Certificate::CreateFromBytes( reinterpret_cast(google_der), sizeof(google_der))); ASSERT_TRUE(google_cert); static const uint8_t google_serial[16] = { 0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9, 0x0b,0xe7,0xbd,0x2b,0xcf,0x95,0x2e,0x7a, }; ASSERT_EQ(sizeof(google_serial), google_cert->serial_number().size()); EXPECT_TRUE(memcmp(google_cert->serial_number().data(), google_serial, sizeof(google_serial)) == 0); } TEST(X509CertificateTest, SerialNumberZeroPadded) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "serial_zero_padded.pem"); ASSERT_TRUE(cert); // Check a serial number where the first byte is >= 0x80, the DER returned by // serial() should contain the leading 0 padding byte. static const uint8_t expected_serial[3] = {0x00, 0x80, 0x01}; ASSERT_EQ(sizeof(expected_serial), cert->serial_number().size()); EXPECT_TRUE(memcmp(cert->serial_number().data(), expected_serial, sizeof(expected_serial)) == 0); } TEST(X509CertificateTest, SerialNumberZeroPadded21BytesLong) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "serial_zero_padded_21_bytes.pem"); ASSERT_TRUE(cert); // Check a serial number where the first byte is >= 0x80, causing the encoded // length to be 21 bytes long. This should be an error, but serial number // parsing is currently permissive. static const uint8_t expected_serial[21] = { 0x00, 0x80, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13}; ASSERT_EQ(sizeof(expected_serial), cert->serial_number().size()); EXPECT_TRUE(memcmp(cert->serial_number().data(), expected_serial, sizeof(expected_serial)) == 0); } TEST(X509CertificateTest, SerialNumberNegative) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "serial_negative.pem"); ASSERT_TRUE(cert); // RFC 5280 does not allow serial numbers to be negative, but serial number // parsing is currently permissive, so this does not cause an error. static const uint8_t expected_serial[2] = {0x80, 0x01}; ASSERT_EQ(sizeof(expected_serial), cert->serial_number().size()); EXPECT_TRUE(memcmp(cert->serial_number().data(), expected_serial, sizeof(expected_serial)) == 0); } TEST(X509CertificateTest, SerialNumber37BytesLong) { base::FilePath certs_dir = GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest"); scoped_refptr cert = ImportCertFromFile(certs_dir, "serial_37_bytes.pem"); ASSERT_TRUE(cert); // Check a serial number which is very long. This should be an error, but // serial number parsing is currently permissive. static const uint8_t expected_serial[37] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25}; ASSERT_EQ(sizeof(expected_serial), cert->serial_number().size()); EXPECT_TRUE(memcmp(cert->serial_number().data(), expected_serial, sizeof(expected_serial)) == 0); } TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { scoped_refptr google_cert(X509Certificate::CreateFromBytes( reinterpret_cast(google_der), sizeof(google_der))); ASSERT_TRUE(google_cert); const SHA256HashValue google_sha256_fingerprint = { {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1, 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec, 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}}; EXPECT_EQ(google_sha256_fingerprint, X509Certificate::CalculateFingerprint256( google_cert->os_cert_handle())); } TEST(X509CertificateTest, CAFingerprints) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr server_cert = ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); ASSERT_NE(static_cast(NULL), server_cert.get()); scoped_refptr intermediate_cert1 = ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem"); ASSERT_NE(static_cast(NULL), intermediate_cert1.get()); scoped_refptr intermediate_cert2 = ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem"); ASSERT_NE(static_cast(NULL), intermediate_cert2.get()); X509Certificate::OSCertHandles intermediates; intermediates.push_back(intermediate_cert1->os_cert_handle()); scoped_refptr cert_chain1 = X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), intermediates); ASSERT_TRUE(cert_chain1); intermediates.clear(); intermediates.push_back(intermediate_cert2->os_cert_handle()); scoped_refptr cert_chain2 = X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), intermediates); ASSERT_TRUE(cert_chain2); // No intermediate CA certicates. intermediates.clear(); scoped_refptr cert_chain3 = X509Certificate::CreateFromHandle(server_cert->os_cert_handle(), intermediates); ASSERT_TRUE(cert_chain3); SHA256HashValue cert_chain1_ca_fingerprint_256 = { {0x51, 0x15, 0x30, 0x49, 0x97, 0x54, 0xf8, 0xb4, 0x17, 0x41, 0x6b, 0x58, 0x78, 0xb0, 0x89, 0xd2, 0xc3, 0xae, 0x66, 0xc1, 0x16, 0x80, 0xa0, 0x78, 0xe7, 0x53, 0x45, 0xa2, 0xfb, 0x80, 0xe1, 0x07}}; SHA256HashValue cert_chain2_ca_fingerprint_256 = { {0x00, 0xbd, 0x2b, 0x0e, 0xdd, 0x83, 0x40, 0xb1, 0x74, 0x6c, 0xc3, 0x95, 0xc0, 0xe3, 0x55, 0xb2, 0x16, 0x58, 0x53, 0xfd, 0xb9, 0x3c, 0x52, 0xda, 0xdd, 0xa8, 0x22, 0x8b, 0x07, 0x00, 0x2d, 0xce}}; // The SHA-256 hash of nothing. SHA256HashValue cert_chain3_ca_fingerprint_256 = { {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}}; EXPECT_EQ(cert_chain1_ca_fingerprint_256, X509Certificate::CalculateCAFingerprint256( cert_chain1->GetIntermediateCertificates())); EXPECT_EQ(cert_chain2_ca_fingerprint_256, X509Certificate::CalculateCAFingerprint256( cert_chain2->GetIntermediateCertificates())); EXPECT_EQ(cert_chain3_ca_fingerprint_256, X509Certificate::CalculateCAFingerprint256( cert_chain3->GetIntermediateCertificates())); SHA256HashValue cert_chain1_chain_fingerprint_256 = { {0xac, 0xff, 0xcc, 0x63, 0x0d, 0xd0, 0xa7, 0x19, 0x78, 0xb5, 0x8a, 0x47, 0x8b, 0x67, 0x97, 0xcb, 0x8d, 0xe1, 0x6a, 0x8a, 0x57, 0x70, 0xda, 0x9a, 0x53, 0x72, 0xe2, 0xa0, 0x08, 0xab, 0xcc, 0x8f}}; SHA256HashValue cert_chain2_chain_fingerprint_256 = { {0x67, 0x3a, 0x11, 0x20, 0xd6, 0x94, 0x14, 0xe4, 0x16, 0x9f, 0x58, 0xe2, 0x8b, 0xf7, 0x27, 0xed, 0xbb, 0xe8, 0xa7, 0xff, 0x1c, 0x8c, 0x0f, 0x21, 0x38, 0x16, 0x7c, 0xad, 0x1f, 0x22, 0x6f, 0x9b}}; SHA256HashValue cert_chain3_chain_fingerprint_256 = { {0x16, 0x7a, 0xbd, 0xb4, 0x57, 0x04, 0x65, 0x3c, 0x3b, 0xef, 0x6e, 0x6a, 0xa6, 0x02, 0x73, 0x30, 0x3e, 0x34, 0x1b, 0x43, 0xc2, 0x7c, 0x98, 0x52, 0x9f, 0x34, 0x7f, 0x55, 0x97, 0xe9, 0x1a, 0x10}}; EXPECT_EQ(cert_chain1_chain_fingerprint_256, X509Certificate::CalculateChainFingerprint256( cert_chain1->os_cert_handle(), cert_chain1->GetIntermediateCertificates())); EXPECT_EQ(cert_chain2_chain_fingerprint_256, X509Certificate::CalculateChainFingerprint256( cert_chain2->os_cert_handle(), cert_chain2->GetIntermediateCertificates())); EXPECT_EQ(cert_chain3_chain_fingerprint_256, X509Certificate::CalculateChainFingerprint256( cert_chain3->os_cert_handle(), cert_chain3->GetIntermediateCertificates())); } TEST(X509CertificateTest, ParseSubjectAltNames) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr san_cert = ImportCertFromFile(certs_dir, "subjectAltName_sanity_check.pem"); ASSERT_NE(static_cast(NULL), san_cert.get()); // Ensure that testing for SAN without using it is accepted. EXPECT_TRUE(san_cert->GetSubjectAltName(nullptr, nullptr)); // Ensure that it's possible to get just dNSNames. std::vector dns_names; EXPECT_TRUE(san_cert->GetSubjectAltName(&dns_names, nullptr)); // Ensure that it's possible to get just iPAddresses. std::vector ip_addresses; EXPECT_TRUE(san_cert->GetSubjectAltName(nullptr, &ip_addresses)); // Ensure that DNS names are correctly parsed. ASSERT_EQ(1U, dns_names.size()); EXPECT_EQ("test.example", dns_names[0]); // Ensure that both IPv4 and IPv6 addresses are correctly parsed. ASSERT_EQ(2U, ip_addresses.size()); static const uint8_t kIPv4Address[] = { 0x7F, 0x00, 0x00, 0x02 }; ASSERT_EQ(arraysize(kIPv4Address), ip_addresses[0].size()); EXPECT_EQ(0, memcmp(ip_addresses[0].data(), kIPv4Address, arraysize(kIPv4Address))); static const uint8_t kIPv6Address[] = { 0xFE, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; ASSERT_EQ(arraysize(kIPv6Address), ip_addresses[1].size()); EXPECT_EQ(0, memcmp(ip_addresses[1].data(), kIPv6Address, arraysize(kIPv6Address))); // Ensure the subjectAltName dirName has not influenced the handling of // the subject commonName. EXPECT_EQ("127.0.0.1", san_cert->subject().common_name); scoped_refptr no_san_cert = ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); ASSERT_NE(static_cast(NULL), no_san_cert.get()); EXPECT_NE(0u, dns_names.size()); EXPECT_NE(0u, ip_addresses.size()); EXPECT_FALSE(no_san_cert->GetSubjectAltName(&dns_names, &ip_addresses)); EXPECT_EQ(0u, dns_names.size()); EXPECT_EQ(0u, ip_addresses.size()); } #if defined(USE_NSS_CERTS) TEST(X509CertificateTest, ParseClientSubjectAltNames) { base::FilePath certs_dir = GetTestCertsDirectory(); // This cert contains one rfc822Name field, and one Microsoft UPN // otherName field. scoped_refptr san_cert = ImportCertFromFile(certs_dir, "client_3.pem"); ASSERT_NE(static_cast(NULL), san_cert.get()); std::vector rfc822_names; net::x509_util::GetRFC822SubjectAltNames(san_cert->os_cert_handle(), &rfc822_names); ASSERT_EQ(1U, rfc822_names.size()); EXPECT_EQ("santest@example.com", rfc822_names[0]); std::vector upn_names; net::x509_util::GetUPNSubjectAltNames(san_cert->os_cert_handle(), &upn_names); ASSERT_EQ(1U, upn_names.size()); EXPECT_EQ("santest@ad.corp.example.com", upn_names[0]); } #endif // defined(USE_NSS_CERTS) TEST(X509CertificateTest, ExtractSPKIFromDERCert) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr cert = ImportCertFromFile(certs_dir, "nist.der"); ASSERT_NE(static_cast(NULL), cert.get()); std::string derBytes; EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &derBytes)); base::StringPiece spkiBytes; EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); uint8_t hash[base::kSHA1Length]; base::SHA1HashBytes(reinterpret_cast(spkiBytes.data()), spkiBytes.size(), hash); EXPECT_EQ(0, memcmp(hash, kNistSPKIHash, sizeof(hash))); } TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr cert = ImportCertFromFile(certs_dir, "nist.der"); ASSERT_NE(static_cast(NULL), cert.get()); std::string derBytes; EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &derBytes)); std::vector crl_urls; EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls)); EXPECT_EQ(1u, crl_urls.size()); if (crl_urls.size() > 0) { EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl", crl_urls[0].as_string()); } } TEST(X509CertificateTest, HasTLSFeatureExtension) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr cert = ImportCertFromFile(certs_dir, "tls_feature_extension.pem"); ASSERT_NE(static_cast(NULL), cert.get()); std::string derBytes; EXPECT_TRUE( X509Certificate::GetDEREncoded(cert->os_cert_handle(), &derBytes)); EXPECT_TRUE(asn1::HasTLSFeatureExtension(derBytes)); } TEST(X509CertificateTest, DoesNotHaveTLSFeatureExtension) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr cert = ImportCertFromFile(certs_dir, "ok_cert.pem"); ASSERT_NE(static_cast(NULL), cert.get()); std::string derBytes; EXPECT_TRUE( X509Certificate::GetDEREncoded(cert->os_cert_handle(), &derBytes)); EXPECT_FALSE(asn1::HasTLSFeatureExtension(derBytes)); } // Tests X509CertificateCache via X509Certificate::CreateFromHandle. We // call X509Certificate::CreateFromHandle several times and observe whether // it returns a cached or new OSCertHandle. TEST(X509CertificateTest, Cache) { X509Certificate::OSCertHandle google_cert_handle; X509Certificate::OSCertHandle thawte_cert_handle; // Add a single certificate to the certificate cache. google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(google_der), sizeof(google_der)); scoped_refptr cert1(X509Certificate::CreateFromHandle( google_cert_handle, X509Certificate::OSCertHandles())); X509Certificate::FreeOSCertHandle(google_cert_handle); ASSERT_TRUE(cert1); // Add the same certificate, but as a new handle. google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(google_der), sizeof(google_der)); scoped_refptr cert2(X509Certificate::CreateFromHandle( google_cert_handle, X509Certificate::OSCertHandles())); X509Certificate::FreeOSCertHandle(google_cert_handle); ASSERT_TRUE(cert2); // A new X509Certificate should be returned. EXPECT_NE(cert1.get(), cert2.get()); // But both instances should share the underlying OS certificate handle. EXPECT_EQ(cert1->os_cert_handle(), cert2->os_cert_handle()); EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size()); EXPECT_EQ(0u, cert2->GetIntermediateCertificates().size()); // Add the same certificate, but this time with an intermediate. This // should result in the intermediate being cached. Note that this is not // a legitimate chain, but is suitable for testing. google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(google_der), sizeof(google_der)); thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(thawte_der), sizeof(thawte_der)); X509Certificate::OSCertHandles intermediates; intermediates.push_back(thawte_cert_handle); scoped_refptr cert3(X509Certificate::CreateFromHandle( google_cert_handle, intermediates)); X509Certificate::FreeOSCertHandle(google_cert_handle); X509Certificate::FreeOSCertHandle(thawte_cert_handle); ASSERT_TRUE(cert3); // Test that the new certificate, even with intermediates, results in the // same underlying handle being used. EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle()); // Though they use the same OS handle, the intermediates should be different. EXPECT_NE(cert1->GetIntermediateCertificates().size(), cert3->GetIntermediateCertificates().size()); } TEST(X509CertificateTest, Pickle) { X509Certificate::OSCertHandle google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(google_der), sizeof(google_der)); X509Certificate::OSCertHandle thawte_cert_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(thawte_der), sizeof(thawte_der)); X509Certificate::OSCertHandles intermediates; intermediates.push_back(thawte_cert_handle); scoped_refptr cert = X509Certificate::CreateFromHandle( google_cert_handle, intermediates); ASSERT_NE(static_cast(NULL), cert.get()); X509Certificate::FreeOSCertHandle(google_cert_handle); X509Certificate::FreeOSCertHandle(thawte_cert_handle); base::Pickle pickle; cert->Persist(&pickle); base::PickleIterator iter(pickle); scoped_refptr cert_from_pickle = X509Certificate::CreateFromPickle( &iter, X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN_V3); ASSERT_NE(static_cast(NULL), cert_from_pickle.get()); EXPECT_TRUE(X509Certificate::IsSameOSCert( cert->os_cert_handle(), cert_from_pickle->os_cert_handle())); const X509Certificate::OSCertHandles& cert_intermediates = cert->GetIntermediateCertificates(); const X509Certificate::OSCertHandles& pickle_intermediates = cert_from_pickle->GetIntermediateCertificates(); ASSERT_EQ(cert_intermediates.size(), pickle_intermediates.size()); for (size_t i = 0; i < cert_intermediates.size(); ++i) { EXPECT_TRUE(X509Certificate::IsSameOSCert(cert_intermediates[i], pickle_intermediates[i])); } } TEST(X509CertificateTest, IntermediateCertificates) { scoped_refptr webkit_cert( X509Certificate::CreateFromBytes( reinterpret_cast(webkit_der), sizeof(webkit_der))); ASSERT_TRUE(webkit_cert); scoped_refptr thawte_cert( X509Certificate::CreateFromBytes( reinterpret_cast(thawte_der), sizeof(thawte_der))); ASSERT_TRUE(thawte_cert); X509Certificate::OSCertHandle google_handle; // Create object with no intermediates: google_handle = X509Certificate::CreateOSCertHandleFromBytes( reinterpret_cast(google_der), sizeof(google_der)); X509Certificate::OSCertHandles intermediates1; scoped_refptr cert1; cert1 = X509Certificate::CreateFromHandle(google_handle, intermediates1); ASSERT_TRUE(cert1); EXPECT_EQ(0u, cert1->GetIntermediateCertificates().size()); // Create object with 2 intermediates: X509Certificate::OSCertHandles intermediates2; intermediates2.push_back(webkit_cert->os_cert_handle()); intermediates2.push_back(thawte_cert->os_cert_handle()); scoped_refptr cert2; cert2 = X509Certificate::CreateFromHandle(google_handle, intermediates2); ASSERT_TRUE(cert2); // Verify it has all the intermediates: const X509Certificate::OSCertHandles& cert2_intermediates = cert2->GetIntermediateCertificates(); ASSERT_EQ(2u, cert2_intermediates.size()); EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[0], webkit_cert->os_cert_handle())); EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[1], thawte_cert->os_cert_handle())); // Cleanup X509Certificate::FreeOSCertHandle(google_handle); } TEST(X509CertificateTest, IsIssuedByEncoded) { base::FilePath certs_dir = GetTestCertsDirectory(); // Test a client certificate from MIT. scoped_refptr mit_davidben_cert( ImportCertFromFile(certs_dir, "mit.davidben.der")); ASSERT_NE(static_cast(NULL), mit_davidben_cert.get()); std::string mit_issuer(reinterpret_cast(MITDN), sizeof(MITDN)); // Test a certificate from Google, issued by Thawte scoped_refptr google_cert( ImportCertFromFile(certs_dir, "google.single.der")); ASSERT_NE(static_cast(NULL), google_cert.get()); std::string thawte_issuer(reinterpret_cast(ThawteDN), sizeof(ThawteDN)); // Check that the David Ben certificate is issued by MIT, but not // by Thawte. std::vector issuers; issuers.clear(); issuers.push_back(mit_issuer); EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers)); EXPECT_FALSE(google_cert->IsIssuedByEncoded(issuers)); // Check that the Google certificate is issued by Thawte and not // by MIT. issuers.clear(); issuers.push_back(thawte_issuer); EXPECT_FALSE(mit_davidben_cert->IsIssuedByEncoded(issuers)); EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers)); // Check that they both pass when given a list of the two issuers. issuers.clear(); issuers.push_back(mit_issuer); issuers.push_back(thawte_issuer); EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers)); EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers)); } TEST(X509CertificateTest, IsSelfSigned) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr cert( ImportCertFromFile(certs_dir, "mit.davidben.der")); ASSERT_NE(static_cast(NULL), cert.get()); EXPECT_FALSE(X509Certificate::IsSelfSigned(cert->os_cert_handle())); scoped_refptr self_signed( ImportCertFromFile(certs_dir, "aia-root.pem")); ASSERT_NE(static_cast(NULL), self_signed.get()); EXPECT_TRUE(X509Certificate::IsSelfSigned(self_signed->os_cert_handle())); scoped_refptr bad_name( ImportCertFromFile(certs_dir, "self-signed-invalid-name.pem")); ASSERT_NE(static_cast(NULL), bad_name.get()); EXPECT_FALSE(X509Certificate::IsSelfSigned(bad_name->os_cert_handle())); scoped_refptr bad_sig( ImportCertFromFile(certs_dir, "self-signed-invalid-sig.pem")); ASSERT_NE(static_cast(NULL), bad_sig.get()); EXPECT_FALSE(X509Certificate::IsSelfSigned(bad_sig->os_cert_handle())); } TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) { static const unsigned char kPolicyRootDN[] = { 0x30, 0x1e, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41 }; static const unsigned char kPolicyIntermediateDN[] = { 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x20, 0x43, 0x41 }; base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList policy_chain = CreateCertificateListFromFile( certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO); ASSERT_EQ(3u, policy_chain.size()); // The intermediate CA certificate's policyConstraints extension has a // requireExplicitPolicy field with SkipCerts=0. std::string policy_intermediate_dn( reinterpret_cast(kPolicyIntermediateDN), sizeof(kPolicyIntermediateDN)); std::string policy_root_dn(reinterpret_cast(kPolicyRootDN), sizeof(kPolicyRootDN)); X509Certificate::OSCertHandles intermediates; intermediates.push_back(policy_chain[1]->os_cert_handle()); scoped_refptr cert_chain = X509Certificate::CreateFromHandle(policy_chain[0]->os_cert_handle(), intermediates); ASSERT_TRUE(cert_chain); std::vector issuers; // Check that the chain is issued by the intermediate. issuers.clear(); issuers.push_back(policy_intermediate_dn); EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); // Check that the chain is also issued by the root. issuers.clear(); issuers.push_back(policy_root_dn); EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); // Check that the chain is issued by either the intermediate or the root. issuers.clear(); issuers.push_back(policy_intermediate_dn); issuers.push_back(policy_root_dn); EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); // Check that an empty issuers list returns false. issuers.clear(); EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); // Check that the chain is not issued by Verisign std::string mit_issuer(reinterpret_cast(VerisignDN), sizeof(VerisignDN)); issuers.clear(); issuers.push_back(mit_issuer); EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); } // Tests that FreeOSCertHandle ignores NULL on each OS. TEST(X509CertificateTest, FreeNullHandle) { X509Certificate::FreeOSCertHandle(NULL); } #if defined(USE_NSS_CERTS) TEST(X509CertificateTest, GetDefaultNickname) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr test_cert( ImportCertFromFile(certs_dir, "no_subject_common_name_cert.pem")); ASSERT_NE(static_cast(NULL), test_cert.get()); std::string nickname = test_cert->GetDefaultNickname(USER_CERT); EXPECT_EQ("wtc@google.com's COMODO Client Authentication and " "Secure Email CA ID", nickname); } #endif const struct CertificateFormatTestData { const char* file_name; X509Certificate::Format format; SHA256HashValue* chain_fingerprints[3]; } kFormatTestData[] = { // DER Parsing - single certificate, DER encoded {"google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE, { &google_parse_fingerprint, NULL, }}, // DER parsing - single certificate, PEM encoded {"google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE, { &google_parse_fingerprint, NULL, }}, // PEM parsing - single certificate, PEM encoded with a PEB of // "CERTIFICATE" {"google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, { &google_parse_fingerprint, NULL, }}, // PEM parsing - sequence of certificates, PEM encoded with a PEB of // "CERTIFICATE" {"google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER // encoding {"google.binary.p7b", X509Certificate::FORMAT_PKCS7, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM // encoded with a PEM PEB of "CERTIFICATE" {"google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM // encoded with a PEM PEB of "PKCS7" {"google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, // All of the above, this time using auto-detection {"google.single.der", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, NULL, }}, {"google.single.pem", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, NULL, }}, {"google.chain.pem", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, {"google.binary.p7b", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, {"google.pem_cert.p7b", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, {"google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO, { &google_parse_fingerprint, &thawte_parse_fingerprint, NULL, }}, }; class X509CertificateParseTest : public testing::TestWithParam { public: virtual ~X509CertificateParseTest() {} void SetUp() override { test_data_ = GetParam(); } void TearDown() override {} protected: CertificateFormatTestData test_data_; }; TEST_P(X509CertificateParseTest, CanParseFormat) { base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList certs = CreateCertificateListFromFile( certs_dir, test_data_.file_name, test_data_.format); ASSERT_FALSE(certs.empty()); ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints)); CheckGoogleCert(certs.front(), google_parse_fingerprint, kGoogleParseValidFrom, kGoogleParseValidTo); size_t i; for (i = 0; i < arraysize(test_data_.chain_fingerprints); ++i) { if (test_data_.chain_fingerprints[i] == NULL) { // No more test certificates expected - make sure no more were // returned before marking this test a success. EXPECT_EQ(i, certs.size()); break; } // A cert is expected - make sure that one was parsed. ASSERT_LT(i, certs.size()); ASSERT_TRUE(certs[i]); // Compare the parsed certificate with the expected certificate, by // comparing fingerprints. EXPECT_EQ( *test_data_.chain_fingerprints[i], X509Certificate::CalculateFingerprint256(certs[i]->os_cert_handle())); } } INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest, testing::ValuesIn(kFormatTestData)); struct CertificateNameVerifyTestData { // true iff we expect hostname to match an entry in cert_names. bool expected; // The hostname to match. const char* hostname; // Common name, may be used if |dns_names| or |ip_addrs| are empty. const char* common_name; // Comma separated list of certificate names to match against. Any occurrence // of '#' will be replaced with a null character before processing. const char* dns_names; // Comma separated list of certificate IP Addresses to match against. Each // address is x prefixed 16 byte hex code for v6 or dotted-decimals for v4. const char* ip_addrs; // Whether to disable matching against the commonName. This is a negative // condition so that tests can omit one or more of the above fields and // allow default initialization to handle this case. bool disable_fallback; }; // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how // to output the parameter that was passed. Without this, it will simply // attempt to print out the first twenty bytes of the object, which depending // on platform and alignment, may result in an invalid read. void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { ASSERT_TRUE(data.hostname && data.common_name); // Using StringPiece to allow for optional fields being NULL. *os << " expected: " << data.expected << "; hostname: " << data.hostname << "; common_name: " << data.common_name << "; dns_names: " << base::StringPiece(data.dns_names) << "; ip_addrs: " << base::StringPiece(data.ip_addrs) << "; disable_fallback: " << data.disable_fallback; } const CertificateNameVerifyTestData kNameVerifyTestData[] = { { true, "foo.com", "foo.com" }, { true, "f", "f" }, { false, "h", "i" }, { true, "bar.foo.com", "*.foo.com" }, { true, "www.test.fr", "common.name", "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, { true, "wwW.tESt.fr", "common.name", ",*.*,*.test.de,*.test.FR,www" }, { false, "f.uk", ".uk" }, { false, "w.bar.foo.com", "?.bar.foo.com" }, { false, "www.foo.com", "(www|ftp).foo.com" }, { false, "www.foo.com", "www.foo.com#" }, // # = null char. { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, { false, "www.house.example", "ww.house.example" }, { false, "test.org", "", "www.test.org,*.test.org,*.org" }, { false, "w.bar.foo.com", "w*.bar.foo.com" }, { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, { false, "wwww.bar.foo.com", "w*w.bar.foo.com" }, { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, { false, "wally.bar.foo.com", "*Ly.bar.foo.com" }, { true, "ww%57.foo.com", "", "www.foo.com" }, { true, "www&.foo.com", "www%26.foo.com" }, // Common name must not be used if subject alternative name was provided. { false, "www.test.co.jp", "www.test.co.jp", "*.test.de,*.jp,www.test.co.uk,www.*.co.jp" }, { false, "www.bar.foo.com", "www.bar.foo.com", "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, { false, "66.77.88.99", "66.77.88.99", "www.bath.org" }, // Common name must not be used if fallback is disabled. { false, "www.test.com", "www.test.com", nullptr, nullptr, true }, { false, "127.0.0.1", "127.0.0.1", nullptr, nullptr, true }, // IDN tests { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," "xn--poema-*.com.br," "xn--*-9qae5a.com.br," "*--poema-9qae5a.com.br" }, // The following are adapted from the examples quoted from // http://tools.ietf.org/html/rfc6125#section-6.4.3 // (e.g., *.example.com would match foo.example.com but // not bar.foo.example.com or example.com). { true, "foo.example.com", "*.example.com" }, { false, "bar.foo.example.com", "*.example.com" }, { false, "example.com", "*.example.com" }, // Partial wildcards are disallowed, though RFC 2818 rules allow them. // That is, forms such as baz*.example.net, *baz.example.net, and // b*z.example.net should NOT match domains. Instead, the wildcard must // always be the left-most label, and only a single label. { false, "baz1.example.net", "baz*.example.net" }, { false, "foobaz.example.net", "*baz.example.net" }, { false, "buzz.example.net", "b*z.example.net" }, { false, "www.test.example.net", "www.*.example.net" }, // Wildcards should not be valid for public registry controlled domains, // and unknown/unrecognized domains, at least three domain components must // be present. { true, "www.test.example", "*.test.example" }, { true, "test.example.co.uk", "*.example.co.uk" }, { false, "test.example", "*.example" }, { false, "example.co.uk", "*.co.uk" }, { false, "foo.com", "*.com" }, { false, "foo.us", "*.us" }, { false, "foo", "*" }, // IDN variants of wildcards and registry controlled domains. { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" }, { false, "xn--poema-9qae5a.com.br", "*.com.br" }, { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" }, // Wildcards should be permissible for 'private' registry controlled // domains. { true, "www.appspot.com", "*.appspot.com" }, { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" }, // Multiple wildcards are not valid. { false, "foo.example.com", "*.*.com" }, { false, "foo.bar.example.com", "*.bar.*.com" }, // Absolute vs relative DNS name tests. Although not explicitly specified // in RFC 6125, absolute reference names (those ending in a .) should // match either absolute or relative presented names. { true, "foo.com", "foo.com." }, { true, "foo.com.", "foo.com" }, { true, "foo.com.", "foo.com." }, { true, "f", "f." }, { true, "f.", "f" }, { true, "f.", "f." }, { true, "www-3.bar.foo.com", "*.bar.foo.com." }, { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, { false, ".", "." }, { false, "example.com", "*.com." }, { false, "example.com.", "*.com" }, { false, "example.com.", "*.com." }, { false, "foo.", "*." }, { false, "foo", "*." }, { false, "foo.co.uk", "*.co.uk." }, { false, "foo.co.uk.", "*.co.uk." }, // IP addresses in common name; IPv4 only. { true, "127.0.0.1", "127.0.0.1" }, { true, "192.168.1.1", "192.168.1.1" }, { true, "676768", "0.10.83.160" }, { true, "1.2.3", "1.2.0.3" }, { false, "192.169.1.1", "192.168.1.1" }, { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, { false, "1111:2222:3333:4444:5555:6666:7777:8888", "1111:2222:3333:4444:5555:6666:7777:8888" }, { false, "::192.9.5.5", "[::192.9.5.5]" }, // No wildcard matching in valid IP addresses { false, "::192.9.5.5", "*.9.5.5" }, { false, "2010:836B:4179::836B:4179", "*:836B:4179::836B:4179" }, { false, "192.168.1.11", "*.168.1.11" }, { false, "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210", "*.]" }, // IP addresses in subject alternative name (common name ignored) { true, "10.1.2.3", "", "", "10.1.2.3" }, { true, "14.15", "", "", "14.0.0.15" }, { false, "10.1.2.7", "10.1.2.7", "", "10.1.2.6,10.1.2.8" }, { false, "10.1.2.8", "10.20.2.8", "foo" }, { true, "::4.5.6.7", "", "", "x00000000000000000000000004050607" }, { false, "::6.7.8.9", "::6.7.8.9", "::6.7.8.9", "x00000000000000000000000006070808,x0000000000000000000000000607080a," "xff000000000000000000000006070809,6.7.8.9" }, { true, "FE80::200:f8ff:fe21:67cf", "no.common.name", "", "x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf," "xff0000000000000000000000060708ff,10.0.0.1" }, // Numeric only hostnames (none of these are considered valid IP addresses). { false, "12345.6", "12345.6" }, { false, "121.2.3.512", "", "1*1.2.3.512,*1.2.3.512,1*.2.3.512,*.2.3.512", "121.2.3.0"}, { false, "1.2.3.4.5.6", "*.2.3.4.5.6" }, { true, "1.2.3.4.5", "", "1.2.3.4.5" }, // Invalid host names. { false, "junk)(£)$*!@~#", "junk)(£)$*!@~#" }, { false, "www.*.com", "www.*.com" }, { false, "w$w.f.com", "w$w.f.com" }, { false, "nocolonallowed:example", "", "nocolonallowed:example" }, { false, "www-1.[::FFFF:129.144.52.38]", "*.[::FFFF:129.144.52.38]" }, { false, "[::4.5.6.9]", "", "", "x00000000000000000000000004050609" }, }; class X509CertificateNameVerifyTest : public testing::TestWithParam { }; TEST_P(X509CertificateNameVerifyTest, VerifyHostname) { CertificateNameVerifyTestData test_data = GetParam(); std::string common_name(test_data.common_name); ASSERT_EQ(std::string::npos, common_name.find(',')); std::replace(common_name.begin(), common_name.end(), '#', '\0'); std::vector dns_names, ip_addressses; if (test_data.dns_names) { // Build up the certificate DNS names list. std::string dns_name_line(test_data.dns_names); std::replace(dns_name_line.begin(), dns_name_line.end(), '#', '\0'); dns_names = base::SplitString(dns_name_line, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); } if (test_data.ip_addrs) { // Build up the certificate IP address list. std::string ip_addrs_line(test_data.ip_addrs); std::vector ip_addressses_ascii = base::SplitString( ip_addrs_line, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { std::string& addr_ascii = ip_addressses_ascii[i]; ASSERT_NE(0U, addr_ascii.length()); if (addr_ascii[0] == 'x') { // Hex encoded address addr_ascii.erase(0, 1); std::vector bytes; EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) << "Could not parse hex address " << addr_ascii << " i = " << i; ip_addressses.push_back(std::string(reinterpret_cast(&bytes[0]), bytes.size())); ASSERT_EQ(16U, ip_addressses.back().size()) << i; } else { // Decimal groups std::vector decimals_ascii = base::SplitString( addr_ascii, ".", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); EXPECT_EQ(4U, decimals_ascii.size()) << i; std::string addr_bytes; for (size_t j = 0; j < decimals_ascii.size(); ++j) { int decimal_value; EXPECT_TRUE(base::StringToInt(decimals_ascii[j], &decimal_value)); EXPECT_GE(decimal_value, 0); EXPECT_LE(decimal_value, 255); addr_bytes.push_back(static_cast(decimal_value)); } ip_addressses.push_back(addr_bytes); ASSERT_EQ(4U, ip_addressses.back().size()) << i; } } } EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(test_data.hostname, common_name, dns_names, ip_addressses, !test_data.disable_fallback)); } INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, testing::ValuesIn(kNameVerifyTestData)); const struct PublicKeyInfoTestData { const char* cert_file; size_t expected_bits; X509Certificate::PublicKeyType expected_type; } kPublicKeyInfoTestData[] = { {"768-rsa-ee-by-768-rsa-intermediate.pem", 768, X509Certificate::kPublicKeyTypeRSA}, {"1024-rsa-ee-by-768-rsa-intermediate.pem", 1024, X509Certificate::kPublicKeyTypeRSA}, {"prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem", 256, X509Certificate::kPublicKeyTypeECDSA}, #if defined(OS_MACOSX) && !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) // OS X has an key length limit of 4096 bits. This should manifest as an // unknown key. If a future version of OS X changes this, large_key.pem may // need to be renegerated with a larger key. See https://crbug.com/472291. {"large_key.pem", 0, X509Certificate::kPublicKeyTypeUnknown}, #else {"large_key.pem", 8200, X509Certificate::kPublicKeyTypeRSA}, #endif }; class X509CertificatePublicKeyInfoTest : public testing::TestWithParam { }; TEST_P(X509CertificatePublicKeyInfoTest, GetPublicKeyInfo) { PublicKeyInfoTestData data = GetParam(); scoped_refptr cert( ImportCertFromFile(GetTestCertsDirectory(), data.cert_file)); ASSERT_TRUE(cert.get()); size_t actual_bits = 0; X509Certificate::PublicKeyType actual_type = X509Certificate::kPublicKeyTypeUnknown; X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), &actual_bits, &actual_type); EXPECT_EQ(data.expected_bits, actual_bits); EXPECT_EQ(data.expected_type, actual_type); } INSTANTIATE_TEST_CASE_P(, X509CertificatePublicKeyInfoTest, testing::ValuesIn(kPublicKeyInfoTestData)); } // namespace net