0
代码
代码
Issues
Pull Requests
讨论
Wiki
分析
0
ohci1ohci1add
910e62b5创建于 1月15日历史提交
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/cert/cert_verify_proc_android.h"

#include <memory>
#include <vector>

#include "net/cert/cert_net_fetcher.h"
#include "net/cert/cert_verify_proc_android.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/crl_set.h"
#include "net/cert/internal/test_helpers.h"
#include "net/cert/mock_cert_net_fetcher.h"
#include "net/cert/test_root_certs.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
#include "net/log/net_log_with_source.h"
#include "net/test/cert_builder.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_certificate_data.h"
#include "net/test/test_data_directory.h"
#include "testing/gmock/include/gmock/gmock-matchers.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "url/gurl.h"

using ::testing::ByMove;
using ::testing::Return;
using ::testing::_;

namespace net {

namespace {

const char kHostname[] = "example.com";
const GURL kRootURL("http://aia.test/root");
const GURL kIntermediateURL("http://aia.test/intermediate");

std::unique_ptr<CertNetFetcher::Request>
CreateMockRequestWithInvalidCertificate() {
  return MockCertNetFetcherRequest::Create(std::vector<uint8_t>({1, 2, 3}));
}

// A test fixture for testing CertVerifyProcAndroid AIA fetching. It creates,
// sets up, and shuts down a MockCertNetFetcher for CertVerifyProcAndroid to
// use, and enables the field trial for AIA fetching.
class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test {
 public:
  void SetUp() override {
    fetcher_ = base::MakeRefCounted<MockCertNetFetcher>();

    // Generate a certificate chain with AIA pointers. Tests can modify these
    // if testing a different scenario.
    std::tie(leaf_, intermediate_, root_) = CertBuilder::CreateSimpleChain3();
    root_->SetCaIssuersUrl(kRootURL);
    intermediate_->SetCaIssuersUrl(kRootURL);
    leaf_->SetCaIssuersUrl(kIntermediateURL);
    leaf_->SetSubjectAltName(kHostname);
  }

  void TearDown() override {
    // Ensure that mock expectations are checked, since the CertNetFetcher is
    // global and leaky.
    ASSERT_TRUE(testing::Mock::VerifyAndClearExpectations(fetcher_.get()));
  }

  scoped_refptr<X509Certificate> LeafOnly() {
    return leaf_->GetX509Certificate();
  }

  scoped_refptr<X509Certificate> LeafWithIntermediate() {
    return leaf_->GetX509CertificateChain();
  }

 protected:
  void TrustTestRoot() {
    scoped_test_root_.Reset({root_->GetX509Certificate()});
  }

  scoped_refptr<MockCertNetFetcher> fetcher_;
  std::unique_ptr<CertBuilder> root_;
  std::unique_ptr<CertBuilder> intermediate_;
  std::unique_ptr<CertBuilder> leaf_;

 private:
  ScopedTestRoot scoped_test_root_;
};

}  // namespace

// Tests that if the proper intermediates are supplied in the server-sent chain,
// no AIA fetch occurs.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
       NoFetchIfProperIntermediatesSupplied) {
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());
  CertVerifyResult verify_result;
  EXPECT_EQ(OK, proc->Verify(LeafWithIntermediate().get(), kHostname,
                             /*ocsp_response=*/std::string(),
                             /*sct_list=*/std::string(), 0, &verify_result,
                             NetLogWithSource()));
}

// Tests that if the certificate does not contain an AIA URL, no AIA fetch
// occurs.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) {
  leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/std::vector<GURL>(),
                                 /*ocsp_urls=*/std::vector<GURL>());
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());
  CertVerifyResult verify_result;
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if a certificate contains one file:// URL and one http:// URL,
// there are two fetches, with the latter resulting in a successful
// verification.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) {
  const GURL kFileURL("file:///dev/null");
  leaf_->SetCaIssuersAndOCSPUrls(
      /*ca_issuers_urls=*/{kFileURL, kIntermediateURL},
      /*ocsp_urls=*/{});
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  // Expect two fetches: the file:// URL (which returns an error), and the
  // http:// URL that returns a valid intermediate signed by |root_|. Though the
  // intermediate itself contains an AIA URL, it should not be fetched because
  // |root_| is in the test trust store.
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kFileURL, _, _))
      .WillOnce(Return(ByMove(
          MockCertNetFetcherRequest::Create(ERR_DISALLOWED_URL_SCHEME))));
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(
          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));

  CertVerifyResult verify_result;
  EXPECT_EQ(OK, proc->Verify(LeafOnly().get(), kHostname,
                             /*ocsp_response=*/std::string(),
                             /*sct_list=*/std::string(), 0, &verify_result,
                             NetLogWithSource()));
}

// Tests that if an AIA request returns the wrong intermediate, certificate
// verification should fail.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
       UnsuccessfulVerificationWithLeafOnly) {
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());
  const scoped_refptr<X509Certificate> bad_intermediate =
      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");

  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(
          MockCertNetFetcherRequest::Create(bad_intermediate->cert_buffer()))));

  CertVerifyResult verify_result;
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if an AIA request returns an error, certificate verification
// should fail.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
       UnsuccessfulVerificationWithLeafOnlyAndErrorOnFetch) {
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))));

  CertVerifyResult verify_result;
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if an AIA request returns an unparseable cert, certificate
// verification should fail.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
       UnsuccessfulVerificationWithLeafOnlyAndUnparseableFetch) {
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(CreateMockRequestWithInvalidCertificate())));

  CertVerifyResult verify_result;
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if a certificate has two HTTP AIA URLs, they are both fetched. If
// one serves an unrelated certificate and one serves a proper intermediate, the
// latter should be used to build a valid chain.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) {
  const GURL kUnrelatedURL("http://aia.test/unrelated");
  leaf_->SetCaIssuersAndOCSPUrls(
      /*ca_issuers_urls=*/{kUnrelatedURL, kIntermediateURL},
      /*ocsp_urls=*/{});
  scoped_refptr<X509Certificate> unrelated =
      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
  ASSERT_TRUE(unrelated);

  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  // Expect two fetches, the first of which returns an unrelated certificate
  // that is not useful in chain-building, and the second of which returns a
  // valid intermediate signed by |root_|. Though the intermediate itself
  // contains an AIA URL, it should not be fetched because |root_| is in the
  // trust store.
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kUnrelatedURL, _, _))
      .WillOnce(Return(
          ByMove(MockCertNetFetcherRequest::Create(unrelated->cert_buffer()))));
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(
          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));

  CertVerifyResult verify_result;
  EXPECT_EQ(OK, proc->Verify(LeafOnly().get(), kHostname,
                             /*ocsp_response=*/std::string(),
                             /*sct_list=*/std::string(), 0, &verify_result,
                             NetLogWithSource()));
}

// Tests that if an intermediate is fetched via AIA, and the intermediate itself
// has an AIA URL, that URL is fetched if necessary.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
       AIAFetchForFetchedIntermediate) {
  // Do not set up the test root to be trusted. If the test root were trusted,
  // then the intermediate would not require an AIA fetch. With the test root
  // untrusted, the intermediate does not verify and so it will trigger an AIA
  // fetch.
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  // Expect two fetches, the first of which returns an intermediate that itself
  // has an AIA URL.
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
      .WillOnce(Return(ByMove(
          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));
  EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _))
      .WillOnce(Return(
          ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer()))));

  CertVerifyResult verify_result;
  // This chain results in an AUTHORITY_INVALID root because |root_| is not
  // trusted.
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if a certificate contains six AIA URLs, only the first five are
// fetched, since the maximum number of fetches per Verify() call is five.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) {
  leaf_->SetCaIssuersAndOCSPUrls(
      /*ca_issuers_urls=*/{GURL("http://aia.test/1"), GURL("http://aia.test/2"),
                           GURL("http://aia.test/3"), GURL("http://aia.test/4"),
                           GURL("http://aia.test/5"),
                           GURL("http://aia.test/6")},
      /*ocsp_urls=*/{});
  TrustTestRoot();
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))))
      .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))));

  CertVerifyResult verify_result;
  EXPECT_EQ(
      ERR_CERT_AUTHORITY_INVALID,
      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                   /*sct_list=*/std::string(), 0, &verify_result,
                   NetLogWithSource()));
}

// Tests that if the supplied chain contains an intermediate with an AIA URL,
// that AIA URL is fetched if necessary.
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, FetchForSuppliedIntermediate) {
  // Do not set up the test root to be trusted. If the test root were trusted,
  // then the intermediate would not require an AIA fetch. With the test root
  // untrusted, the intermediate does not verify and so it will trigger an AIA
  // fetch.
  scoped_refptr<CertVerifyProcAndroid> proc =
      base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
                                                  CRLSet::BuiltinCRLSet());

  EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _))
      .WillOnce(Return(
          ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer()))));

  CertVerifyResult verify_result;
  // This chain results in an AUTHORITY_INVALID root because |root_| is not
  // trusted.
  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID,
            proc->Verify(LeafWithIntermediate().get(), kHostname,
                         /*ocsp_response=*/std::string(),
                         /*sct_list=*/std::string(), 0, &verify_result,
                         NetLogWithSource()));
}

}  // namespace net