summaryrefslogtreecommitdiffstats
path: root/net/base/x509_certificate_unittest.cc
diff options
context:
space:
mode:
authorIain Merrick <husky@google.com>2010-10-19 14:37:37 +0100
committerIain Merrick <husky@google.com>2010-10-19 14:37:37 +0100
commit3345a6884c488ff3a535c2c9acdd33d74b37e311 (patch)
tree7784b988ef1698cb6967ea1bdf07616237716c6c /net/base/x509_certificate_unittest.cc
parentefc8475837ec58186051f23bb03542620424f6ce (diff)
downloadexternal_chromium-3345a6884c488ff3a535c2c9acdd33d74b37e311.zip
external_chromium-3345a6884c488ff3a535c2c9acdd33d74b37e311.tar.gz
external_chromium-3345a6884c488ff3a535c2c9acdd33d74b37e311.tar.bz2
Merge Chromium at 7.0.540.0 : Initial merge by git
Not including third_party/icu as it contains huge data files that break Gerrit, and aren't actually used. Change-Id: I428a386e70f3b58cacd28677b8cfda282e891e15
Diffstat (limited to 'net/base/x509_certificate_unittest.cc')
-rw-r--r--net/base/x509_certificate_unittest.cc244
1 files changed, 222 insertions, 22 deletions
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 63eec15..e1319d7 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -29,8 +29,6 @@ using base::Time;
namespace net {
-namespace {
-
// Certificates for test data. They're obtained with:
//
// $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
@@ -76,6 +74,93 @@ unsigned char unosoft_hu_fingerprint[] = {
0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8
};
+// The fingerprint of the Google certificate used in the parsing tests,
+// which is newer than the one included in the x509_certificate_data.h
+unsigned char google_parse_fingerprint[] = {
+ 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a,
+ 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2
+};
+
+// The fingerprint for the Thawte SGC certificate
+unsigned char thawte_parse_fingerprint[] = {
+ 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f,
+ 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02
+};
+
+// Dec 18 00:00:00 2009 GMT
+const double kGoogleParseValidFrom = 1261094400;
+// Dec 18 23:59:59 2011 GMT
+const double kGoogleParseValidTo = 1324252799;
+
+struct CertificateFormatTestData {
+ const char* file_name;
+ X509Certificate::Format format;
+ unsigned char* chain_fingerprints[3];
+};
+
+const CertificateFormatTestData FormatTestData[] = {
+ // DER Parsing - single certificate, DER encoded
+ { "google.single.der", X509Certificate::FORMAT_SINGLE_CERTIFICATE,
+ { google_parse_fingerprint,
+ NULL, } },
+ // DER parsing - single certificate, PEM encoded
+ { "google.single.pem", X509Certificate::FORMAT_SINGLE_CERTIFICATE,
+ { google_parse_fingerprint,
+ NULL, } },
+ // PEM parsing - single certificate, PEM encoded with a PEB of
+ // "CERTIFICATE"
+ { "google.single.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE,
+ { google_parse_fingerprint,
+ NULL, } },
+ // PEM parsing - sequence of certificates, PEM encoded with a PEB of
+ // "CERTIFICATE"
+ { "google.chain.pem", X509Certificate::FORMAT_PEM_CERT_SEQUENCE,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER
+ // encoding
+ { "google.binary.p7b", X509Certificate::FORMAT_PKCS7,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
+ // encoded with a PEM PEB of "CERTIFICATE"
+ { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
+ // encoded with a PEM PEB of "PKCS7"
+ { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ // All of the above, this time using auto-detection
+ { "google.single.der", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ NULL, } },
+ { "google.single.pem", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ NULL, } },
+ { "google.chain.pem", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ { "google.binary.p7b", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+ { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO,
+ { google_parse_fingerprint,
+ thawte_parse_fingerprint,
+ NULL, } },
+};
+
// Returns a FilePath object representing the src/net/data/ssl/certificates
// directory in the source tree.
FilePath GetTestCertsDirectory() {
@@ -100,12 +185,22 @@ X509Certificate* ImportCertFromFile(const FilePath& certs_dir,
return X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size());
}
-} // namespace
-
-TEST(X509CertificateTest, GoogleCertParsing) {
- scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes(
- reinterpret_cast<const char*>(google_der), sizeof(google_der));
+CertificateList CreateCertificateListFromFile(
+ const FilePath& certs_dir,
+ const std::string& cert_file,
+ int format) {
+ FilePath cert_path = certs_dir.AppendASCII(cert_file);
+ std::string cert_data;
+ if (!file_util::ReadFileToString(cert_path, &cert_data))
+ return CertificateList();
+ return X509Certificate::CreateCertificateListFromBytes(cert_data.data(),
+ cert_data.size(),
+ format);
+}
+void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
+ unsigned char* expected_fingerprint,
+ double valid_from, double valid_to) {
ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
const CertPrincipal& subject = google_cert->subject();
@@ -114,7 +209,7 @@ TEST(X509CertificateTest, GoogleCertParsing) {
EXPECT_EQ("California", subject.state_or_province_name);
EXPECT_EQ("US", subject.country_name);
EXPECT_EQ(0U, subject.street_addresses.size());
- EXPECT_EQ(1U, subject.organization_names.size());
+ ASSERT_EQ(1U, subject.organization_names.size());
EXPECT_EQ("Google Inc", subject.organization_names[0]);
EXPECT_EQ(0U, subject.organization_unit_names.size());
EXPECT_EQ(0U, subject.domain_components.size());
@@ -125,25 +220,25 @@ TEST(X509CertificateTest, GoogleCertParsing) {
EXPECT_EQ("", issuer.state_or_province_name);
EXPECT_EQ("ZA", issuer.country_name);
EXPECT_EQ(0U, issuer.street_addresses.size());
- EXPECT_EQ(1U, issuer.organization_names.size());
+ ASSERT_EQ(1U, issuer.organization_names.size());
EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]);
EXPECT_EQ(0U, issuer.organization_unit_names.size());
EXPECT_EQ(0U, issuer.domain_components.size());
// Use DoubleT because its epoch is the same on all platforms
const Time& valid_start = google_cert->valid_start();
- EXPECT_EQ(1238192407, valid_start.ToDoubleT()); // Mar 27 22:20:07 2009 GMT
+ EXPECT_EQ(valid_from, valid_start.ToDoubleT());
const Time& valid_expiry = google_cert->valid_expiry();
- EXPECT_EQ(1269728407, valid_expiry.ToDoubleT()); // Mar 27 22:20:07 2010 GMT
+ EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
const SHA1Fingerprint& fingerprint = google_cert->fingerprint();
for (size_t i = 0; i < 20; ++i)
- EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]);
+ EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]);
std::vector<std::string> dns_names;
google_cert->GetDNSNames(&dns_names);
- EXPECT_EQ(1U, dns_names.size());
+ ASSERT_EQ(1U, dns_names.size());
EXPECT_EQ("www.google.com", dns_names[0]);
#if TEST_EV
@@ -156,6 +251,16 @@ TEST(X509CertificateTest, GoogleCertParsing) {
#endif
}
+TEST(X509CertificateTest, GoogleCertParsing) {
+ scoped_refptr<X509Certificate> google_cert =
+ X509Certificate::CreateFromBytes(
+ reinterpret_cast<const char*>(google_der), sizeof(google_der));
+
+ CheckGoogleCert(google_cert, google_fingerprint,
+ 1238192407, // Mar 27 22:20:07 2009 GMT
+ 1269728407); // Mar 27 22:20:07 2010 GMT
+}
+
TEST(X509CertificateTest, WebkitCertParsing) {
scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
@@ -167,9 +272,9 @@ TEST(X509CertificateTest, WebkitCertParsing) {
EXPECT_EQ("California", subject.state_or_province_name);
EXPECT_EQ("US", subject.country_name);
EXPECT_EQ(0U, subject.street_addresses.size());
- EXPECT_EQ(1U, subject.organization_names.size());
+ ASSERT_EQ(1U, subject.organization_names.size());
EXPECT_EQ("Apple Inc.", subject.organization_names[0]);
- EXPECT_EQ(1U, subject.organization_unit_names.size());
+ ASSERT_EQ(1U, subject.organization_unit_names.size());
EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]);
EXPECT_EQ(0U, subject.domain_components.size());
@@ -179,9 +284,9 @@ TEST(X509CertificateTest, WebkitCertParsing) {
EXPECT_EQ("Arizona", issuer.state_or_province_name);
EXPECT_EQ("US", issuer.country_name);
EXPECT_EQ(0U, issuer.street_addresses.size());
- EXPECT_EQ(1U, issuer.organization_names.size());
+ ASSERT_EQ(1U, issuer.organization_names.size());
EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]);
- EXPECT_EQ(1U, issuer.organization_unit_names.size());
+ ASSERT_EQ(1U, issuer.organization_unit_names.size());
EXPECT_EQ("http://certificates.godaddy.com/repository",
issuer.organization_unit_names[0]);
EXPECT_EQ(0U, issuer.domain_components.size());
@@ -199,7 +304,7 @@ TEST(X509CertificateTest, WebkitCertParsing) {
std::vector<std::string> dns_names;
webkit_cert->GetDNSNames(&dns_names);
- EXPECT_EQ(2U, dns_names.size());
+ ASSERT_EQ(2U, dns_names.size());
EXPECT_EQ("*.webkit.org", dns_names[0]);
EXPECT_EQ("webkit.org", dns_names[1]);
@@ -224,7 +329,7 @@ TEST(X509CertificateTest, ThawteCertParsing) {
EXPECT_EQ("California", subject.state_or_province_name);
EXPECT_EQ("US", subject.country_name);
EXPECT_EQ(0U, subject.street_addresses.size());
- EXPECT_EQ(1U, subject.organization_names.size());
+ ASSERT_EQ(1U, subject.organization_names.size());
EXPECT_EQ("Thawte Inc", subject.organization_names[0]);
EXPECT_EQ(0U, subject.organization_unit_names.size());
EXPECT_EQ(0U, subject.domain_components.size());
@@ -235,9 +340,9 @@ TEST(X509CertificateTest, ThawteCertParsing) {
EXPECT_EQ("", issuer.state_or_province_name);
EXPECT_EQ("US", issuer.country_name);
EXPECT_EQ(0U, issuer.street_addresses.size());
- EXPECT_EQ(1U, issuer.organization_names.size());
+ ASSERT_EQ(1U, issuer.organization_names.size());
EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]);
- EXPECT_EQ(1U, issuer.organization_unit_names.size());
+ ASSERT_EQ(1U, issuer.organization_unit_names.size());
EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06",
issuer.organization_unit_names[0]);
EXPECT_EQ(0U, issuer.domain_components.size());
@@ -255,7 +360,7 @@ TEST(X509CertificateTest, ThawteCertParsing) {
std::vector<std::string> dns_names;
thawte_cert->GetDNSNames(&dns_names);
- EXPECT_EQ(1U, dns_names.size());
+ ASSERT_EQ(1U, dns_names.size());
EXPECT_EQ("www.thawte.com", dns_names[0]);
#if TEST_EV
@@ -528,4 +633,99 @@ TEST(X509CertificateTest, IntermediateCertificates) {
}
#endif
+#if defined(OS_MACOSX)
+TEST(X509CertificateTest, IsIssuedBy) {
+ FilePath certs_dir = GetTestCertsDirectory();
+
+ // Test a client certificate from MIT.
+ scoped_refptr<X509Certificate> mit_davidben_cert =
+ ImportCertFromFile(certs_dir, "mit.davidben.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
+
+ CertPrincipal mit_issuer;
+ mit_issuer.country_name = "US";
+ mit_issuer.state_or_province_name = "Massachusetts";
+ mit_issuer.organization_names.push_back(
+ "Massachusetts Institute of Technology");
+ mit_issuer.organization_unit_names.push_back("Client CA v1");
+
+ // IsIssuedBy should return true even if it cannot build a chain
+ // with that principal.
+ std::vector<CertPrincipal> mit_issuers(1, mit_issuer);
+ EXPECT_TRUE(mit_davidben_cert->IsIssuedBy(mit_issuers));
+
+ // Test a client certificate from FOAF.ME.
+ scoped_refptr<X509Certificate> foaf_me_chromium_test_cert =
+ ImportCertFromFile(certs_dir, "foaf.me.chromium-test-cert.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), foaf_me_chromium_test_cert);
+
+ CertPrincipal foaf_issuer;
+ foaf_issuer.common_name = "FOAF.ME";
+ foaf_issuer.locality_name = "Wimbledon";
+ foaf_issuer.state_or_province_name = "LONDON";
+ foaf_issuer.country_name = "GB";
+ foaf_issuer.organization_names.push_back("FOAF.ME");
+
+ std::vector<CertPrincipal> foaf_issuers(1, foaf_issuer);
+ EXPECT_TRUE(foaf_me_chromium_test_cert->IsIssuedBy(foaf_issuers));
+
+ // And test some combinations and mismatches.
+ std::vector<CertPrincipal> both_issuers;
+ both_issuers.push_back(mit_issuer);
+ both_issuers.push_back(foaf_issuer);
+ EXPECT_TRUE(foaf_me_chromium_test_cert->IsIssuedBy(both_issuers));
+ EXPECT_TRUE(mit_davidben_cert->IsIssuedBy(both_issuers));
+ EXPECT_FALSE(foaf_me_chromium_test_cert->IsIssuedBy(mit_issuers));
+ EXPECT_FALSE(mit_davidben_cert->IsIssuedBy(foaf_issuers));
+}
+#endif // defined(OS_MACOSX)
+
+class X509CertificateParseTest
+ : public testing::TestWithParam<CertificateFormatTestData> {
+ public:
+ virtual ~X509CertificateParseTest() {}
+ virtual void SetUp() {
+ test_data_ = GetParam();
+ }
+ virtual void TearDown() {}
+
+ protected:
+ CertificateFormatTestData test_data_;
+};
+
+TEST_P(X509CertificateParseTest, CanParseFormat) {
+ FilePath certs_dir = GetTestCertsDirectory();
+ CertificateList certs = CreateCertificateListFromFile(
+ certs_dir, test_data_.file_name, test_data_.format);
+ ASSERT_FALSE(certs.empty());
+ ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints));
+ CheckGoogleCert(certs.front(), google_parse_fingerprint,
+ kGoogleParseValidFrom, kGoogleParseValidTo);
+
+ size_t i;
+ for (i = 0; i < arraysize(test_data_.chain_fingerprints); ++i) {
+ if (test_data_.chain_fingerprints[i] == NULL) {
+ // No more test certificates expected - make sure no more were
+ // returned before marking this test a success.
+ EXPECT_EQ(i, certs.size());
+ break;
+ }
+
+ // A cert is expected - make sure that one was parsed.
+ ASSERT_LT(i, certs.size());
+
+ // Compare the parsed certificate with the expected certificate, by
+ // comparing fingerprints.
+ const X509Certificate* cert = certs[i];
+ const SHA1Fingerprint& actual_fingerprint = cert->fingerprint();
+ unsigned char* expected_fingerprint = test_data_.chain_fingerprints[i];
+
+ for (size_t j = 0; j < 20; ++j)
+ EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]);
+ }
+}
+
+INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
+ testing::ValuesIn(FormatTestData));
+
} // namespace net