// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "verify_certificate_chain.h" #include "cert_errors.h" #include "common_cert_errors.h" #include "mock_signature_verify_cache.h" #include "simple_path_builder_delegate.h" #include "test_helpers.h" #include "trust_store.h" #include "verify_certificate_chain_typed_unittest.h" BSSL_NAMESPACE_BEGIN namespace { class VerifyCertificateChainTestDelegate { public: static void Verify(const VerifyCertChainTest &test, const std::string &test_file_path) { SimplePathBuilderDelegate delegate(1024, test.digest_policy); CertPathErrors errors; std::set user_constrained_policy_set; VerifyCertificateChain( test.chain, test.last_cert_trust, &delegate, test.time, test.key_purpose, test.initial_explicit_policy, test.user_initial_policy_set, test.initial_policy_mapping_inhibit, test.initial_any_policy_inhibit, &user_constrained_policy_set, &errors); VerifyCertPathErrors(test.expected_errors, errors, test.chain, test_file_path); VerifyUserConstrainedPolicySet(test.expected_user_constrained_policy_set, user_constrained_policy_set, test_file_path); } }; } // namespace INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, VerifyCertificateChainSingleRootTest, VerifyCertificateChainTestDelegate); TEST(VerifyCertificateIsSelfSigned, TargetOnly) { auto cert = ReadCertFromFile( "testdata/verify_certificate_chain_unittest/target-only/chain.pem"); ASSERT_TRUE(cert); // Test with null cache and errors. EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr, /*errors=*/nullptr)); // Test with cache and errors. CertErrors errors; MockSignatureVerifyCache cache; EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors)); EXPECT_TRUE( errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH)); EXPECT_TRUE(errors.ContainsError(cert_errors::kSubjectDoesNotMatchIssuer)); // Should not try to verify signature if names don't match. EXPECT_EQ(cache.CacheHits(), 0U); EXPECT_EQ(cache.CacheMisses(), 0U); EXPECT_EQ(cache.CacheStores(), 0U); } TEST(VerifyCertificateIsSelfSigned, SelfIssued) { auto cert = ReadCertFromFile( "testdata/verify_certificate_chain_unittest/target-selfissued/chain.pem"); ASSERT_TRUE(cert); // Test with null cache and errors. EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr, /*errors=*/nullptr)); // Test with cache and errors. CertErrors errors; MockSignatureVerifyCache cache; EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors)); EXPECT_TRUE( errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH)); EXPECT_TRUE(errors.ContainsError(cert_errors::kVerifySignedDataFailed)); EXPECT_EQ(cache.CacheHits(), 0U); EXPECT_EQ(cache.CacheMisses(), 1U); EXPECT_EQ(cache.CacheStores(), 1U); // Trying again should use cached signature verification result. EXPECT_FALSE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors)); EXPECT_EQ(cache.CacheHits(), 1U); EXPECT_EQ(cache.CacheMisses(), 1U); EXPECT_EQ(cache.CacheStores(), 1U); } TEST(VerifyCertificateIsSelfSigned, SelfSigned) { auto cert = ReadCertFromFile( "testdata/verify_certificate_chain_unittest/target-selfsigned/chain.pem"); ASSERT_TRUE(cert); // Test with null cache and errors. EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, /*cache=*/nullptr, /*errors=*/nullptr)); // Test with cache and errors. CertErrors errors; MockSignatureVerifyCache cache; EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors)); EXPECT_FALSE(errors.ContainsAnyErrorWithSeverity( CertError::Severity::SEVERITY_WARNING)); EXPECT_FALSE( errors.ContainsAnyErrorWithSeverity(CertError::Severity::SEVERITY_HIGH)); EXPECT_EQ(cache.CacheHits(), 0U); EXPECT_EQ(cache.CacheMisses(), 1U); EXPECT_EQ(cache.CacheStores(), 1U); // Trying again should use cached signature verification result. EXPECT_TRUE(VerifyCertificateIsSelfSigned(*cert, &cache, &errors)); EXPECT_EQ(cache.CacheHits(), 1U); EXPECT_EQ(cache.CacheMisses(), 1U); EXPECT_EQ(cache.CacheStores(), 1U); } BSSL_NAMESPACE_END