// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/x509_certificate.h" #include <stdint.h> #include <memory> #include <string_view> #include "base/containers/span.h" #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/hash/sha1.h" #include "base/pickle.h" #include "base/strings/strcat.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "base/time/time.h" #include "crypto/rsa_private_key.h" #include "net/base/net_errors.h" #include "net/cert/asn1_util.h" #include "net/cert/x509_util.h" #include "net/test/cert_builder.h" #include "net/test/cert_test_util.h" #include "net/test/test_certificate_data.h" #include "net/test/test_data_directory.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/boringssl/src/pki/parse_certificate.h" #include "third_party/boringssl/src/pki/pem.h" HexEncode; Time; namespace net { namespace { // Certificates for test data. They're obtained with: // // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der // // For fingerprint // $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der // For valid_start, valid_expiry // $ openssl x509 -inform DER -text -noout < /tmp/host.der | // grep -A 2 Validity // $ date +%s -d '<date str>' // Google's cert. SHA256HashValue google_fingerprint = …; // The fingerprint of the Google certificate used in the parsing tests, // which is newer than the one included in the x509_certificate_data.h SHA256HashValue google_parse_fingerprint = …; // The fingerprint for the Thawte SGC certificate SHA256HashValue thawte_parse_fingerprint = …; // Dec 18 00:00:00 2009 GMT const double kGoogleParseValidFrom = …; // Dec 18 23:59:59 2011 GMT const double kGoogleParseValidTo = …; void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert, const SHA256HashValue& expected_fingerprint, double valid_from, double valid_to) { … } void ExpectX509CertificateMembersEqual( const scoped_refptr<X509Certificate>& a, const scoped_refptr<X509Certificate>& b) { … } } // namespace TEST(X509CertificateTest, GoogleCertParsing) { … } TEST(X509CertificateTest, WebkitCertParsing) { … } TEST(X509CertificateTest, ThawteCertParsing) { … } // Test that all desired AttributeAndValue pairs can be extracted when only // a single bssl::RelativeDistinguishedName is present. "Normally" there is only // one AVA per RDN, but some CAs place all AVAs within a single RDN. // This is a regression test for http://crbug.com/101009 TEST(X509CertificateTest, MultivalueRDN) { … } // Test that characters which would normally be escaped in the string form, // such as '=' or '"', are not escaped when parsed as individual components. // This is a regression test for http://crbug.com/102839 TEST(X509CertificateTest, UnescapedSpecialCharacters) { … } TEST(X509CertificateTest, InvalidPrintableStringIsUtf8) { … } TEST(X509CertificateTest, TeletexStringIsLatin1) { … } TEST(X509CertificateTest, TeletexStringControlChars) { … } TEST(X509CertificateTest, TeletexStringIsLatin1NotCp1252) { … } TEST(X509CertificateTest, TeletexStringIsNotARealT61String) { … } TEST(X509CertificateTest, SerialNumbers) { … } TEST(X509CertificateTest, SerialNumberZeroPadded) { … } TEST(X509CertificateTest, SerialNumberZeroPadded21BytesLong) { … } TEST(X509CertificateTest, SerialNumberNegative) { … } TEST(X509CertificateTest, SerialNumber37BytesLong) { … } TEST(X509CertificateTest, SHA256FingerprintsCorrectly) { … } TEST(X509CertificateTest, CAFingerprints) { … } TEST(X509CertificateTest, ParseSubjectAltNames) { … } TEST(X509CertificateTest, ExtractSPKIFromDERCert) { … } TEST(X509CertificateTest, HasCanSignHttpExchangesDraftExtension) { … } TEST(X509CertificateTest, HasCanSignHttpExchangesDraftExtensionInvalid) { … } TEST(X509CertificateTest, DoesNotHaveCanSignHttpExchangesDraftExtension) { … } TEST(X509CertificateTest, ExtractExtension) { … } // Tests CRYPTO_BUFFER deduping via X509Certificate::CreateFromBuffer. We // call X509Certificate::CreateFromBuffer several times and observe whether // it returns a cached or new CRYPTO_BUFFER. TEST(X509CertificateTest, Cache) { … } TEST(X509CertificateTest, CloneWithDifferentIntermediates) { … } TEST(X509CertificateTest, Pickle) { … } TEST(X509CertificateTest, IntermediateCertificates) { … } TEST(X509CertificateTest, Equals) { … } TEST(X509CertificateTest, IsIssuedByEncoded) { … } TEST(X509CertificateTest, IsSelfSigned) { … } TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) { … } const struct CertificateFormatTestData { … } kFormatTestData[] = …; class X509CertificateParseTest : public testing::TestWithParam<CertificateFormatTestData> { … }; TEST_P(X509CertificateParseTest, CanParseFormat) { … } INSTANTIATE_TEST_SUITE_P(…); struct CertificateNameVerifyTestData { … }; // GTest 'magic' pretty-printer, so that if/when a test fails, it knows how // to output the parameter that was passed. Without this, it will simply // attempt to print out the first twenty bytes of the object, which depending // on platform and alignment, may result in an invalid read. void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { … } const CertificateNameVerifyTestData kNameVerifyTestData[] = …; class X509CertificateNameVerifyTest : public testing::TestWithParam<CertificateNameVerifyTestData> { … }; TEST_P(X509CertificateNameVerifyTest, VerifyHostname) { … } INSTANTIATE_TEST_SUITE_P(…); const struct PublicKeyInfoTestData { … } kPublicKeyInfoTestData[] = …; class X509CertificatePublicKeyInfoTest : public testing::TestWithParam<PublicKeyInfoTestData> { … }; TEST_P(X509CertificatePublicKeyInfoTest, GetPublicKeyInfo) { … } INSTANTIATE_TEST_SUITE_P(…); } // namespace net
Codebase Browser
chromium