1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verifier.h"
6
7 #include "base/files/file_path.h"
8 #include "base/memory/ref_counted.h"
9 #include "net/cert/x509_certificate.h"
10 #include "net/cert/x509_util.h"
11 #include "net/test/cert_test_util.h"
12 #include "net/test/test_data_directory.h"
13 #include "testing/gtest/include/gtest/gtest.h"
14
15 namespace net {
16
TEST(CertVerifierTest,RequestParamsComparators)17 TEST(CertVerifierTest, RequestParamsComparators) {
18 const scoped_refptr<X509Certificate> ok_cert =
19 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
20 ASSERT_TRUE(ok_cert.get());
21
22 const scoped_refptr<X509Certificate> expired_cert =
23 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
24 ASSERT_TRUE(expired_cert.get());
25
26 const scoped_refptr<X509Certificate> root_cert =
27 ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
28 ASSERT_TRUE(root_cert.get());
29
30 // Create a certificate that contains both a leaf and an
31 // intermediate/root.
32 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain;
33 chain.push_back(bssl::UpRef(root_cert->cert_buffer()));
34 const scoped_refptr<X509Certificate> combined_cert =
35 X509Certificate::CreateFromBuffer(bssl::UpRef(ok_cert->cert_buffer()),
36 std::move(chain));
37 ASSERT_TRUE(combined_cert.get());
38
39 struct {
40 // Keys to test
41 CertVerifier::RequestParams key1;
42 CertVerifier::RequestParams key2;
43
44 // Whether or not |key1| and |key2| are expected to be equal.
45 bool equal;
46 } tests[] = {
47 {
48 // Test for basic equivalence.
49 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
50 /*ocsp_response=*/std::string(),
51 /*sct_list=*/std::string()),
52 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
53 /*ocsp_response=*/std::string(),
54 /*sct_list=*/std::string()),
55 true,
56 },
57 {
58 // Test that different certificates but with the same CA and for
59 // the same host are different validation keys.
60 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
61 /*ocsp_response=*/std::string(),
62 /*sct_list=*/std::string()),
63 CertVerifier::RequestParams(expired_cert, "www.example.test", 0,
64 /*ocsp_response=*/std::string(),
65 /*sct_list=*/std::string()),
66 false,
67 },
68 {
69 // Test that the same EE certificate for the same host, but with
70 // different chains are different validation keys.
71 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
72 /*ocsp_response=*/std::string(),
73 /*sct_list=*/std::string()),
74 CertVerifier::RequestParams(combined_cert, "www.example.test", 0,
75 /*ocsp_response=*/std::string(),
76 /*sct_list=*/std::string()),
77 false,
78 },
79 {
80 // The same certificate, with the same chain, but for different
81 // hosts are different validation keys.
82 CertVerifier::RequestParams(ok_cert, "www1.example.test", 0,
83 /*ocsp_response=*/std::string(),
84 /*sct_list=*/std::string()),
85 CertVerifier::RequestParams(ok_cert, "www2.example.test", 0,
86 /*ocsp_response=*/std::string(),
87 /*sct_list=*/std::string()),
88 false,
89 },
90 {
91 // The same certificate, chain, and host, but with different flags
92 // are different validation keys.
93 CertVerifier::RequestParams(
94 ok_cert, "www.example.test",
95 CertVerifier::VERIFY_DISABLE_NETWORK_FETCHES,
96 /*ocsp_response=*/std::string(),
97 /*sct_list=*/std::string()),
98 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
99 /*ocsp_response=*/std::string(),
100 /*sct_list=*/std::string()),
101 false,
102 },
103 {
104 // Different OCSP responses.
105 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
106 "ocsp response",
107 /*sct_list=*/std::string()),
108 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
109 /*ocsp_response=*/std::string(),
110 /*sct_list=*/std::string()),
111 false,
112 },
113 {
114 // Different SignedCertificateTimestampList.
115 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
116 /*ocsp_response=*/std::string(),
117 "sct list"),
118 CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
119 /*ocsp_response=*/std::string(),
120 /*sct_list=*/std::string()),
121 false,
122 },
123 };
124 for (const auto& test : tests) {
125 const CertVerifier::RequestParams& key1 = test.key1;
126 const CertVerifier::RequestParams& key2 = test.key2;
127
128 // Ensure that the keys are equivalent to themselves.
129 EXPECT_FALSE(key1 < key1);
130 EXPECT_FALSE(key2 < key2);
131
132 if (test.equal) {
133 EXPECT_TRUE(!(key1 < key2) && !(key2 < key1));
134 } else {
135 EXPECT_TRUE((key1 < key2) || (key2 < key1));
136 }
137 }
138 }
139
140 } // namespace net
141