1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/x509_util_nss.h"
6
7 #include <string_view>
8
9 #include "base/files/file_path.h"
10 #include "base/files/file_util.h"
11 #include "base/time/time.h"
12 #include "net/cert/scoped_nss_types.h"
13 #include "net/cert/x509_certificate.h"
14 #include "net/cert/x509_util.h"
15 #include "net/test/cert_test_util.h"
16 #include "net/test/test_certificate_data.h"
17 #include "net/test/test_data_directory.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace net {
21
22 namespace {
23
BytesForNSSCert(CERTCertificate * cert)24 std::string BytesForNSSCert(CERTCertificate* cert) {
25 std::string der_encoded;
26 if (!x509_util::GetDEREncoded(cert, &der_encoded))
27 ADD_FAILURE();
28 return der_encoded;
29 }
30
31 } // namespace
32
TEST(X509UtilNSSTest,IsSameCertificate)33 TEST(X509UtilNSSTest, IsSameCertificate) {
34 ScopedCERTCertificate google_nss_cert(
35 x509_util::CreateCERTCertificateFromBytes(google_der));
36 ASSERT_TRUE(google_nss_cert);
37
38 ScopedCERTCertificate google_nss_cert2(
39 x509_util::CreateCERTCertificateFromBytes(google_der));
40 ASSERT_TRUE(google_nss_cert2);
41
42 ScopedCERTCertificate webkit_nss_cert(
43 x509_util::CreateCERTCertificateFromBytes(webkit_der));
44 ASSERT_TRUE(webkit_nss_cert);
45
46 scoped_refptr<X509Certificate> google_x509_cert(
47 X509Certificate::CreateFromBytes(google_der));
48 ASSERT_TRUE(google_x509_cert);
49
50 scoped_refptr<X509Certificate> webkit_x509_cert(
51 X509Certificate::CreateFromBytes(webkit_der));
52 ASSERT_TRUE(webkit_x509_cert);
53
54 EXPECT_TRUE(x509_util::IsSameCertificate(google_nss_cert.get(),
55 google_nss_cert.get()));
56 EXPECT_TRUE(x509_util::IsSameCertificate(google_nss_cert.get(),
57 google_nss_cert2.get()));
58 EXPECT_TRUE(x509_util::IsSameCertificate(google_nss_cert.get(),
59 google_x509_cert.get()));
60 EXPECT_TRUE(x509_util::IsSameCertificate(google_x509_cert.get(),
61 google_nss_cert.get()));
62
63 EXPECT_TRUE(x509_util::IsSameCertificate(webkit_nss_cert.get(),
64 webkit_nss_cert.get()));
65 EXPECT_TRUE(x509_util::IsSameCertificate(webkit_nss_cert.get(),
66 webkit_x509_cert.get()));
67 EXPECT_TRUE(x509_util::IsSameCertificate(webkit_x509_cert.get(),
68 webkit_nss_cert.get()));
69
70 EXPECT_FALSE(x509_util::IsSameCertificate(google_nss_cert.get(),
71 webkit_nss_cert.get()));
72 EXPECT_FALSE(x509_util::IsSameCertificate(google_nss_cert.get(),
73 webkit_x509_cert.get()));
74 EXPECT_FALSE(x509_util::IsSameCertificate(google_x509_cert.get(),
75 webkit_nss_cert.get()));
76 }
77
TEST(X509UtilNSSTest,CreateCERTCertificateFromBytes)78 TEST(X509UtilNSSTest, CreateCERTCertificateFromBytes) {
79 ScopedCERTCertificate google_cert(
80 x509_util::CreateCERTCertificateFromBytes(google_der));
81 ASSERT_TRUE(google_cert);
82 EXPECT_STREQ(
83 "CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US",
84 google_cert->subjectName);
85 }
86
TEST(X509UtilNSSTest,CreateCERTCertificateFromBytesGarbage)87 TEST(X509UtilNSSTest, CreateCERTCertificateFromBytesGarbage) {
88 EXPECT_EQ(nullptr, x509_util::CreateCERTCertificateFromBytes(
89 base::span<const uint8_t>()));
90
91 static const uint8_t garbage_data[] = "garbage";
92 EXPECT_EQ(nullptr, x509_util::CreateCERTCertificateFromBytes(garbage_data));
93 }
94
TEST(X509UtilNSSTest,CreateCERTCertificateFromX509Certificate)95 TEST(X509UtilNSSTest, CreateCERTCertificateFromX509Certificate) {
96 scoped_refptr<X509Certificate> x509_cert =
97 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
98 ASSERT_TRUE(x509_cert);
99 ScopedCERTCertificate nss_cert =
100 x509_util::CreateCERTCertificateFromX509Certificate(x509_cert.get());
101 ASSERT_TRUE(nss_cert);
102 EXPECT_STREQ("CN=127.0.0.1,O=Test CA,L=Mountain View,ST=California,C=US",
103 nss_cert->subjectName);
104 }
105
TEST(X509UtilNSSTest,CreateCERTCertificateListFromX509Certificate)106 TEST(X509UtilNSSTest, CreateCERTCertificateListFromX509Certificate) {
107 scoped_refptr<X509Certificate> x509_cert = CreateCertificateChainFromFile(
108 GetTestCertsDirectory(), "multi-root-chain1.pem",
109 X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
110 ASSERT_TRUE(x509_cert);
111 EXPECT_EQ(3U, x509_cert->intermediate_buffers().size());
112
113 ScopedCERTCertificateList nss_certs =
114 x509_util::CreateCERTCertificateListFromX509Certificate(x509_cert.get());
115 ASSERT_EQ(4U, nss_certs.size());
116 for (int i = 0; i < 4; ++i)
117 ASSERT_TRUE(nss_certs[i]);
118
119 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(x509_cert->cert_buffer()),
120 BytesForNSSCert(nss_certs[0].get()));
121 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(
122 x509_cert->intermediate_buffers()[0].get()),
123 BytesForNSSCert(nss_certs[1].get()));
124 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(
125 x509_cert->intermediate_buffers()[1].get()),
126 BytesForNSSCert(nss_certs[2].get()));
127 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(
128 x509_cert->intermediate_buffers()[2].get()),
129 BytesForNSSCert(nss_certs[3].get()));
130 }
131
TEST(X509UtilTest,CreateCERTCertificateListFromX509CertificateErrors)132 TEST(X509UtilTest, CreateCERTCertificateListFromX509CertificateErrors) {
133 scoped_refptr<X509Certificate> ok_cert(
134 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
135 ASSERT_TRUE(ok_cert);
136
137 bssl::UniquePtr<CRYPTO_BUFFER> bad_cert =
138 x509_util::CreateCryptoBuffer(std::string_view("invalid"));
139 ASSERT_TRUE(bad_cert);
140
141 scoped_refptr<X509Certificate> ok_cert2(
142 ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"));
143 ASSERT_TRUE(ok_cert);
144
145 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
146 intermediates.push_back(std::move(bad_cert));
147 intermediates.push_back(bssl::UpRef(ok_cert2->cert_buffer()));
148 scoped_refptr<X509Certificate> cert_with_intermediates(
149 X509Certificate::CreateFromBuffer(bssl::UpRef(ok_cert->cert_buffer()),
150 std::move(intermediates)));
151 ASSERT_TRUE(cert_with_intermediates);
152 EXPECT_EQ(2U, cert_with_intermediates->intermediate_buffers().size());
153
154 // Normal CreateCERTCertificateListFromX509Certificate fails with invalid
155 // certs in chain.
156 ScopedCERTCertificateList nss_certs =
157 x509_util::CreateCERTCertificateListFromX509Certificate(
158 cert_with_intermediates.get());
159 EXPECT_TRUE(nss_certs.empty());
160
161 // With InvalidIntermediateBehavior::kIgnore, invalid intermediate certs
162 // should be silently dropped.
163 nss_certs = x509_util::CreateCERTCertificateListFromX509Certificate(
164 cert_with_intermediates.get(),
165 x509_util::InvalidIntermediateBehavior::kIgnore);
166 ASSERT_EQ(2U, nss_certs.size());
167 for (const auto& nss_cert : nss_certs)
168 ASSERT_TRUE(nss_cert.get());
169
170 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(ok_cert->cert_buffer()),
171 BytesForNSSCert(nss_certs[0].get()));
172 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(ok_cert2->cert_buffer()),
173 BytesForNSSCert(nss_certs[1].get()));
174 }
175
TEST(X509UtilNSSTest,CreateCERTCertificateListFromBytes)176 TEST(X509UtilNSSTest, CreateCERTCertificateListFromBytes) {
177 base::FilePath cert_path =
178 GetTestCertsDirectory().AppendASCII("multi-root-chain1.pem");
179 std::string cert_data;
180 ASSERT_TRUE(base::ReadFileToString(cert_path, &cert_data));
181
182 ScopedCERTCertificateList certs =
183 x509_util::CreateCERTCertificateListFromBytes(
184 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO);
185 ASSERT_EQ(4U, certs.size());
186 EXPECT_STREQ("CN=127.0.0.1,O=Test CA,L=Mountain View,ST=California,C=US",
187 certs[0]->subjectName);
188 EXPECT_STREQ("CN=B CA - Multi-root", certs[1]->subjectName);
189 EXPECT_STREQ("CN=C CA - Multi-root", certs[2]->subjectName);
190 EXPECT_STREQ("CN=D Root CA - Multi-root", certs[3]->subjectName);
191 }
192
TEST(X509UtilNSSTest,DupCERTCertificate)193 TEST(X509UtilNSSTest, DupCERTCertificate) {
194 ScopedCERTCertificate cert(
195 x509_util::CreateCERTCertificateFromBytes(google_der));
196 ASSERT_TRUE(cert);
197
198 ScopedCERTCertificate cert2 = x509_util::DupCERTCertificate(cert.get());
199 // Both handles should hold a reference to the same CERTCertificate object.
200 ASSERT_EQ(cert.get(), cert2.get());
201
202 // Release the initial handle.
203 cert.reset();
204 // The duped handle should still be safe to access.
205 EXPECT_STREQ(
206 "CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US",
207 cert2->subjectName);
208 }
209
TEST(X509UtilNSSTest,DupCERTCertificateList)210 TEST(X509UtilNSSTest, DupCERTCertificateList) {
211 ScopedCERTCertificate cert(
212 x509_util::CreateCERTCertificateFromBytes(google_der));
213 ASSERT_TRUE(cert);
214 ScopedCERTCertificate cert2(
215 x509_util::CreateCERTCertificateFromBytes(webkit_der));
216 ASSERT_TRUE(cert2);
217 ScopedCERTCertificateList certs;
218 certs.push_back(std::move(cert));
219 certs.push_back(std::move(cert2));
220
221 ScopedCERTCertificateList certs_dup =
222 x509_util::DupCERTCertificateList(certs);
223 ASSERT_EQ(2U, certs_dup.size());
224 ASSERT_EQ(certs[0].get(), certs_dup[0].get());
225 ASSERT_EQ(certs[1].get(), certs_dup[1].get());
226
227 // Release the initial handles.
228 certs.clear();
229 // The duped handles should still be safe to access.
230 EXPECT_STREQ(
231 "CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US",
232 certs_dup[0]->subjectName);
233 EXPECT_STREQ(
234 "CN=*.webkit.org,OU=Mac OS Forge,O=Apple "
235 "Inc.,L=Cupertino,ST=California,C=US",
236 certs_dup[1]->subjectName);
237 }
238
TEST(X509UtilNSSTest,DupCERTCertificateList_EmptyList)239 TEST(X509UtilNSSTest, DupCERTCertificateList_EmptyList) {
240 EXPECT_EQ(0U, x509_util::DupCERTCertificateList({}).size());
241 }
242
TEST(X509UtilNSSTest,CreateX509CertificateFromCERTCertificate_NoChain)243 TEST(X509UtilNSSTest, CreateX509CertificateFromCERTCertificate_NoChain) {
244 ScopedCERTCertificate nss_cert(
245 x509_util::CreateCERTCertificateFromBytes(google_der));
246 ASSERT_TRUE(nss_cert);
247 scoped_refptr<X509Certificate> x509_cert =
248 x509_util::CreateX509CertificateFromCERTCertificate(nss_cert.get());
249 EXPECT_EQ(BytesForNSSCert(nss_cert.get()),
250 x509_util::CryptoBufferAsStringPiece(x509_cert->cert_buffer()));
251 EXPECT_TRUE(x509_cert->intermediate_buffers().empty());
252 }
253
TEST(X509UtilNSSTest,CreateX509CertificateFromCERTCertificate_EmptyChain)254 TEST(X509UtilNSSTest, CreateX509CertificateFromCERTCertificate_EmptyChain) {
255 ScopedCERTCertificate nss_cert(
256 x509_util::CreateCERTCertificateFromBytes(google_der));
257 ASSERT_TRUE(nss_cert);
258 scoped_refptr<X509Certificate> x509_cert =
259 x509_util::CreateX509CertificateFromCERTCertificate(
260 nss_cert.get(), std::vector<CERTCertificate*>());
261 EXPECT_EQ(BytesForNSSCert(nss_cert.get()),
262 x509_util::CryptoBufferAsStringPiece(x509_cert->cert_buffer()));
263 EXPECT_TRUE(x509_cert->intermediate_buffers().empty());
264 }
265
TEST(X509UtilNSSTest,CreateX509CertificateFromCERTCertificate_WithChain)266 TEST(X509UtilNSSTest, CreateX509CertificateFromCERTCertificate_WithChain) {
267 ScopedCERTCertificate nss_cert(
268 x509_util::CreateCERTCertificateFromBytes(google_der));
269 ASSERT_TRUE(nss_cert);
270 ScopedCERTCertificate nss_cert2(
271 x509_util::CreateCERTCertificateFromBytes(webkit_der));
272 ASSERT_TRUE(nss_cert2);
273
274 std::vector<CERTCertificate*> chain;
275 chain.push_back(nss_cert2.get());
276
277 scoped_refptr<X509Certificate> x509_cert =
278 x509_util::CreateX509CertificateFromCERTCertificate(nss_cert.get(),
279 chain);
280 EXPECT_EQ(BytesForNSSCert(nss_cert.get()),
281 x509_util::CryptoBufferAsStringPiece(x509_cert->cert_buffer()));
282 ASSERT_EQ(1U, x509_cert->intermediate_buffers().size());
283 EXPECT_EQ(x509_util::CryptoBufferAsStringPiece(
284 x509_cert->intermediate_buffers()[0].get()),
285 BytesForNSSCert(nss_cert2.get()));
286 }
287
TEST(X509UtilNSSTest,CreateX509CertificateListFromCERTCertificates)288 TEST(X509UtilNSSTest, CreateX509CertificateListFromCERTCertificates) {
289 ScopedCERTCertificate nss_cert(
290 x509_util::CreateCERTCertificateFromBytes(google_der));
291 ASSERT_TRUE(nss_cert);
292 ScopedCERTCertificate nss_cert2(
293 x509_util::CreateCERTCertificateFromBytes(webkit_der));
294 ASSERT_TRUE(nss_cert2);
295 ScopedCERTCertificateList nss_certs;
296 nss_certs.push_back(std::move(nss_cert));
297 nss_certs.push_back(std::move(nss_cert2));
298
299 CertificateList x509_certs =
300 x509_util::CreateX509CertificateListFromCERTCertificates(nss_certs);
301 ASSERT_EQ(2U, x509_certs.size());
302
303 EXPECT_EQ(BytesForNSSCert(nss_certs[0].get()),
304 x509_util::CryptoBufferAsStringPiece(x509_certs[0]->cert_buffer()));
305 EXPECT_EQ(BytesForNSSCert(nss_certs[1].get()),
306 x509_util::CryptoBufferAsStringPiece(x509_certs[1]->cert_buffer()));
307 }
308
TEST(X509UtilNSSTest,CreateX509CertificateListFromCERTCertificates_EmptyList)309 TEST(X509UtilNSSTest, CreateX509CertificateListFromCERTCertificates_EmptyList) {
310 ScopedCERTCertificateList nss_certs;
311 CertificateList x509_certs =
312 x509_util::CreateX509CertificateListFromCERTCertificates(nss_certs);
313 ASSERT_EQ(0U, x509_certs.size());
314 }
315
TEST(X509UtilNSSTest,GetDEREncoded)316 TEST(X509UtilNSSTest, GetDEREncoded) {
317 ScopedCERTCertificate google_cert(
318 x509_util::CreateCERTCertificateFromBytes(google_der));
319 ASSERT_TRUE(google_cert);
320 std::string der_encoded;
321 ASSERT_TRUE(x509_util::GetDEREncoded(google_cert.get(), &der_encoded));
322 EXPECT_EQ(std::string(reinterpret_cast<const char*>(google_der),
323 std::size(google_der)),
324 der_encoded);
325 }
326
TEST(X509UtilNSSTest,GetDefaultNickname)327 TEST(X509UtilNSSTest, GetDefaultNickname) {
328 base::FilePath certs_dir = GetTestCertsDirectory();
329
330 ScopedCERTCertificate test_cert = ImportCERTCertificateFromFile(
331 certs_dir, "no_subject_common_name_cert.pem");
332 ASSERT_TRUE(test_cert);
333
334 std::string nickname = x509_util::GetDefaultUniqueNickname(
335 test_cert.get(), USER_CERT, nullptr /*slot*/);
336 EXPECT_EQ(
337 "[email protected]'s COMODO Client Authentication and "
338 "Secure Email CA ID",
339 nickname);
340 }
341
TEST(X509UtilNSSTest,GetCERTNameDisplayName_CN)342 TEST(X509UtilNSSTest, GetCERTNameDisplayName_CN) {
343 base::FilePath certs_dir = GetTestCertsDirectory();
344
345 ScopedCERTCertificate test_cert =
346 ImportCERTCertificateFromFile(certs_dir, "ok_cert.pem");
347 ASSERT_TRUE(test_cert);
348 scoped_refptr<X509Certificate> x509_test_cert =
349 ImportCertFromFile(certs_dir, "ok_cert.pem");
350 ASSERT_TRUE(x509_test_cert);
351
352 std::string name = x509_util::GetCERTNameDisplayName(&test_cert->subject);
353 EXPECT_EQ("127.0.0.1", name);
354 EXPECT_EQ(x509_test_cert->subject().GetDisplayName(), name);
355 }
356
TEST(X509UtilNSSTest,GetCERTNameDisplayName_O)357 TEST(X509UtilNSSTest, GetCERTNameDisplayName_O) {
358 base::FilePath certs_dir =
359 GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest");
360
361 ScopedCERTCertificate test_cert =
362 ImportCERTCertificateFromFile(certs_dir, "subject_t61string.pem");
363 ASSERT_TRUE(test_cert);
364 scoped_refptr<X509Certificate> x509_test_cert =
365 ImportCertFromFile(certs_dir, "subject_t61string.pem");
366 ASSERT_TRUE(x509_test_cert);
367
368 std::string name = x509_util::GetCERTNameDisplayName(&test_cert->subject);
369 EXPECT_EQ(
370 " !\"#$%&'()*+,-./"
371 "0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`"
372 "abcdefghijklmnopqrstuvwxyz{|}~"
373 " ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæç"
374 "èéêëìíîïðñòóôõö÷øùúûüýþÿ",
375 name);
376 EXPECT_EQ(x509_test_cert->subject().GetDisplayName(), name);
377 }
378
TEST(X509UtilNSSTest,ParseClientSubjectAltNames)379 TEST(X509UtilNSSTest, ParseClientSubjectAltNames) {
380 base::FilePath certs_dir = GetTestCertsDirectory();
381
382 // This cert contains one rfc822Name field, and one Microsoft UPN
383 // otherName field.
384 ScopedCERTCertificate san_cert =
385 ImportCERTCertificateFromFile(certs_dir, "client_3.pem");
386 ASSERT_TRUE(san_cert);
387
388 std::vector<std::string> rfc822_names;
389 x509_util::GetRFC822SubjectAltNames(san_cert.get(), &rfc822_names);
390 ASSERT_EQ(1U, rfc822_names.size());
391 EXPECT_EQ("[email protected]", rfc822_names[0]);
392
393 std::vector<std::string> upn_names;
394 x509_util::GetUPNSubjectAltNames(san_cert.get(), &upn_names);
395 ASSERT_EQ(1U, upn_names.size());
396 EXPECT_EQ("[email protected]", upn_names[0]);
397 }
398
TEST(X509UtilNSSTest,GetValidityTimes)399 TEST(X509UtilNSSTest, GetValidityTimes) {
400 ScopedCERTCertificate google_cert(
401 x509_util::CreateCERTCertificateFromBytes(google_der));
402 ASSERT_TRUE(google_cert);
403
404 base::Time not_before, not_after;
405 EXPECT_TRUE(
406 x509_util::GetValidityTimes(google_cert.get(), ¬_before, ¬_after));
407
408 // Constants copied from x509_certificate_unittest.cc.
409 EXPECT_EQ(1238192407, // Mar 27 22:20:07 2009 GMT
410 not_before.InSecondsFSinceUnixEpoch());
411 EXPECT_EQ(1269728407, // Mar 27 22:20:07 2010 GMT
412 not_after.InSecondsFSinceUnixEpoch());
413 }
414
TEST(X509UtilNSSTest,GetValidityTimesOptionalArgs)415 TEST(X509UtilNSSTest, GetValidityTimesOptionalArgs) {
416 ScopedCERTCertificate google_cert(
417 x509_util::CreateCERTCertificateFromBytes(google_der));
418 ASSERT_TRUE(google_cert);
419
420 base::Time not_before;
421 EXPECT_TRUE(
422 x509_util::GetValidityTimes(google_cert.get(), ¬_before, nullptr));
423 // Constants copied from x509_certificate_unittest.cc.
424 EXPECT_EQ(1238192407, // Mar 27 22:20:07 2009 GMT
425 not_before.InSecondsFSinceUnixEpoch());
426
427 base::Time not_after;
428 EXPECT_TRUE(
429 x509_util::GetValidityTimes(google_cert.get(), nullptr, ¬_after));
430 EXPECT_EQ(1269728407, // Mar 27 22:20:07 2010 GMT
431 not_after.InSecondsFSinceUnixEpoch());
432 }
433
TEST(X509UtilNSSTest,CalculateFingerprint256)434 TEST(X509UtilNSSTest, CalculateFingerprint256) {
435 static const SHA256HashValue google_fingerprint = {
436 {0x21, 0xaf, 0x58, 0x74, 0xea, 0x6b, 0xad, 0xbd, 0xe4, 0xb3, 0xb1,
437 0xaa, 0x53, 0x32, 0x80, 0x8f, 0xbf, 0x8a, 0x24, 0x7d, 0x98, 0xec,
438 0x7f, 0x77, 0x49, 0x38, 0x42, 0x81, 0x26, 0x7f, 0xed, 0x38}};
439
440 ScopedCERTCertificate google_cert(
441 x509_util::CreateCERTCertificateFromBytes(google_der));
442 ASSERT_TRUE(google_cert);
443
444 EXPECT_EQ(google_fingerprint,
445 x509_util::CalculateFingerprint256(google_cert.get()));
446 }
447
448 } // namespace net
449