1 // Copyright 2020 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/crypto/certificate_view.h"
6
7 #include <limits>
8 #include <memory>
9 #include <sstream>
10 #include <string>
11
12 #include "absl/algorithm/container.h"
13 #include "absl/strings/escaping.h"
14 #include "absl/strings/string_view.h"
15 #include "openssl/base.h"
16 #include "openssl/bytestring.h"
17 #include "openssl/evp.h"
18 #include "openssl/ssl.h"
19 #include "quiche/quic/core/crypto/boring_utils.h"
20 #include "quiche/quic/core/quic_time.h"
21 #include "quiche/quic/platform/api/quic_ip_address.h"
22 #include "quiche/quic/platform/api/quic_test.h"
23 #include "quiche/quic/test_tools/test_certificates.h"
24 #include "quiche/common/platform/api/quiche_time_utils.h"
25
26 namespace quic {
27 namespace test {
28 namespace {
29
30 using ::testing::ElementsAre;
31 using ::testing::HasSubstr;
32 using ::testing::Optional;
33
TEST(CertificateViewTest,PemParser)34 TEST(CertificateViewTest, PemParser) {
35 std::stringstream stream(kTestCertificatePem);
36 PemReadResult result = ReadNextPemMessage(&stream);
37 EXPECT_EQ(result.status, PemReadResult::kOk);
38 EXPECT_EQ(result.type, "CERTIFICATE");
39 EXPECT_EQ(result.contents, kTestCertificate);
40
41 result = ReadNextPemMessage(&stream);
42 EXPECT_EQ(result.status, PemReadResult::kEof);
43 }
44
TEST(CertificateViewTest,Parse)45 TEST(CertificateViewTest, Parse) {
46 std::unique_ptr<CertificateView> view =
47 CertificateView::ParseSingleCertificate(kTestCertificate);
48 ASSERT_TRUE(view != nullptr);
49
50 EXPECT_THAT(view->subject_alt_name_domains(),
51 ElementsAre(absl::string_view("www.example.org"),
52 absl::string_view("mail.example.org"),
53 absl::string_view("mail.example.com")));
54 EXPECT_THAT(view->subject_alt_name_ips(),
55 ElementsAre(QuicIpAddress::Loopback4()));
56 EXPECT_EQ(EVP_PKEY_id(view->public_key()), EVP_PKEY_RSA);
57
58 const QuicWallTime validity_start = QuicWallTime::FromUNIXSeconds(
59 *quiche::QuicheUtcDateTimeToUnixSeconds(2020, 1, 30, 18, 13, 59));
60 EXPECT_EQ(view->validity_start(), validity_start);
61 const QuicWallTime validity_end = QuicWallTime::FromUNIXSeconds(
62 *quiche::QuicheUtcDateTimeToUnixSeconds(2020, 2, 2, 18, 13, 59));
63 EXPECT_EQ(view->validity_end(), validity_end);
64 EXPECT_EQ(view->public_key_type(), PublicKeyType::kRsa);
65 EXPECT_EQ(PublicKeyTypeToString(view->public_key_type()), "RSA");
66
67 EXPECT_EQ("C=US,ST=California,L=Mountain View,O=QUIC Server,CN=127.0.0.1",
68 view->GetHumanReadableSubject());
69 }
70
TEST(CertificateViewTest,ParseCertWithUnknownSanType)71 TEST(CertificateViewTest, ParseCertWithUnknownSanType) {
72 std::stringstream stream(kTestCertWithUnknownSanTypePem);
73 PemReadResult result = ReadNextPemMessage(&stream);
74 EXPECT_EQ(result.status, PemReadResult::kOk);
75 EXPECT_EQ(result.type, "CERTIFICATE");
76
77 std::unique_ptr<CertificateView> view =
78 CertificateView::ParseSingleCertificate(result.contents);
79 EXPECT_TRUE(view != nullptr);
80 }
81
TEST(CertificateViewTest,PemSingleCertificate)82 TEST(CertificateViewTest, PemSingleCertificate) {
83 std::stringstream pem_stream(kTestCertificatePem);
84 std::vector<std::string> chain =
85 CertificateView::LoadPemFromStream(&pem_stream);
86 EXPECT_THAT(chain, ElementsAre(kTestCertificate));
87 }
88
TEST(CertificateViewTest,PemMultipleCertificates)89 TEST(CertificateViewTest, PemMultipleCertificates) {
90 std::stringstream pem_stream(kTestCertificateChainPem);
91 std::vector<std::string> chain =
92 CertificateView::LoadPemFromStream(&pem_stream);
93 EXPECT_THAT(chain,
94 ElementsAre(kTestCertificate, HasSubstr("QUIC Server Root CA")));
95 }
96
TEST(CertificateViewTest,PemNoCertificates)97 TEST(CertificateViewTest, PemNoCertificates) {
98 std::stringstream pem_stream("one\ntwo\nthree\n");
99 std::vector<std::string> chain =
100 CertificateView::LoadPemFromStream(&pem_stream);
101 EXPECT_TRUE(chain.empty());
102 }
103
TEST(CertificateViewTest,SignAndVerify)104 TEST(CertificateViewTest, SignAndVerify) {
105 std::unique_ptr<CertificatePrivateKey> key =
106 CertificatePrivateKey::LoadFromDer(kTestCertificatePrivateKey);
107 ASSERT_TRUE(key != nullptr);
108
109 std::string data = "A really important message";
110 std::string signature = key->Sign(data, SSL_SIGN_RSA_PSS_RSAE_SHA256);
111 ASSERT_FALSE(signature.empty());
112
113 std::unique_ptr<CertificateView> view =
114 CertificateView::ParseSingleCertificate(kTestCertificate);
115 ASSERT_TRUE(view != nullptr);
116 EXPECT_TRUE(key->MatchesPublicKey(*view));
117
118 EXPECT_TRUE(
119 view->VerifySignature(data, signature, SSL_SIGN_RSA_PSS_RSAE_SHA256));
120 EXPECT_FALSE(view->VerifySignature("An unimportant message", signature,
121 SSL_SIGN_RSA_PSS_RSAE_SHA256));
122 EXPECT_FALSE(view->VerifySignature(data, "Not a signature",
123 SSL_SIGN_RSA_PSS_RSAE_SHA256));
124 }
125
TEST(CertificateViewTest,PrivateKeyPem)126 TEST(CertificateViewTest, PrivateKeyPem) {
127 std::unique_ptr<CertificateView> view =
128 CertificateView::ParseSingleCertificate(kTestCertificate);
129 ASSERT_TRUE(view != nullptr);
130
131 std::stringstream pem_stream(kTestCertificatePrivateKeyPem);
132 std::unique_ptr<CertificatePrivateKey> pem_key =
133 CertificatePrivateKey::LoadPemFromStream(&pem_stream);
134 ASSERT_TRUE(pem_key != nullptr);
135 EXPECT_TRUE(pem_key->MatchesPublicKey(*view));
136
137 std::stringstream legacy_stream(kTestCertificatePrivateKeyLegacyPem);
138 std::unique_ptr<CertificatePrivateKey> legacy_key =
139 CertificatePrivateKey::LoadPemFromStream(&legacy_stream);
140 ASSERT_TRUE(legacy_key != nullptr);
141 EXPECT_TRUE(legacy_key->MatchesPublicKey(*view));
142 }
143
TEST(CertificateViewTest,PrivateKeyEcdsaPem)144 TEST(CertificateViewTest, PrivateKeyEcdsaPem) {
145 std::stringstream pem_stream(kTestEcPrivateKeyLegacyPem);
146 std::unique_ptr<CertificatePrivateKey> key =
147 CertificatePrivateKey::LoadPemFromStream(&pem_stream);
148 ASSERT_TRUE(key != nullptr);
149 EXPECT_TRUE(key->ValidForSignatureAlgorithm(SSL_SIGN_ECDSA_SECP256R1_SHA256));
150 }
151
TEST(CertificateViewTest,DerTime)152 TEST(CertificateViewTest, DerTime) {
153 EXPECT_THAT(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024Z"),
154 Optional(QuicWallTime::FromUNIXSeconds(24)));
155 EXPECT_THAT(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19710101000024Z"),
156 Optional(QuicWallTime::FromUNIXSeconds(365 * 86400 + 24)));
157 EXPECT_THAT(ParseDerTime(CBS_ASN1_UTCTIME, "700101000024Z"),
158 Optional(QuicWallTime::FromUNIXSeconds(24)));
159 EXPECT_TRUE(ParseDerTime(CBS_ASN1_UTCTIME, "200101000024Z").has_value());
160
161 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, ""), std::nullopt);
162 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024.001Z"),
163 std::nullopt);
164 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024Q"),
165 std::nullopt);
166 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024-0500"),
167 std::nullopt);
168 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "700101000024ZZ"),
169 std::nullopt);
170 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024.00Z"),
171 std::nullopt);
172 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024.Z"),
173 std::nullopt);
174 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "197O0101000024Z"),
175 std::nullopt);
176 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101000024.0O1Z"),
177 std::nullopt);
178 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "-9700101000024Z"),
179 std::nullopt);
180 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "1970-101000024Z"),
181 std::nullopt);
182
183 EXPECT_TRUE(ParseDerTime(CBS_ASN1_UTCTIME, "490101000024Z").has_value());
184 // This should parse as 1950, which predates UNIX epoch.
185 EXPECT_FALSE(ParseDerTime(CBS_ASN1_UTCTIME, "500101000024Z").has_value());
186
187 EXPECT_THAT(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101230000Z"),
188 Optional(QuicWallTime::FromUNIXSeconds(23 * 3600)));
189 EXPECT_EQ(ParseDerTime(CBS_ASN1_GENERALIZEDTIME, "19700101240000Z"),
190 std::nullopt);
191 }
192
TEST(CertificateViewTest,NameAttribute)193 TEST(CertificateViewTest, NameAttribute) {
194 // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.112411 }
195 // UTF8String { "Test" }
196 std::string unknown_oid;
197 ASSERT_TRUE(absl::HexStringToBytes("060b2a864886f712040186ee1b0c0454657374",
198 &unknown_oid));
199 EXPECT_EQ("1.2.840.113554.4.1.112411=Test",
200 X509NameAttributeToString(StringPieceToCbs(unknown_oid)));
201
202 // OBJECT_IDENTIFIER { 2.5.4.3 }
203 // UTF8String { "Bell: \x07" }
204 std::string non_printable;
205 ASSERT_TRUE(
206 absl::HexStringToBytes("06035504030c0742656c6c3a2007", &non_printable));
207 EXPECT_EQ(R"(CN=Bell: \x07)",
208 X509NameAttributeToString(StringPieceToCbs(non_printable)));
209
210 // OBJECT_IDENTIFIER { "\x55\x80" }
211 // UTF8String { "Test" }
212 std::string invalid_oid;
213 ASSERT_TRUE(absl::HexStringToBytes("060255800c0454657374", &invalid_oid));
214 EXPECT_EQ("(5580)=Test",
215 X509NameAttributeToString(StringPieceToCbs(invalid_oid)));
216 }
217
TEST(CertificateViewTest,SupportedSignatureAlgorithmsForQuicIsUpToDate)218 TEST(CertificateViewTest, SupportedSignatureAlgorithmsForQuicIsUpToDate) {
219 QuicSignatureAlgorithmVector supported =
220 SupportedSignatureAlgorithmsForQuic();
221 for (int i = 0; i < std::numeric_limits<uint16_t>::max(); i++) {
222 uint16_t sigalg = static_cast<uint16_t>(i);
223 PublicKeyType key_type = PublicKeyTypeFromSignatureAlgorithm(sigalg);
224 if (absl::c_find(supported, sigalg) == supported.end()) {
225 EXPECT_EQ(key_type, PublicKeyType::kUnknown);
226 } else {
227 EXPECT_NE(key_type, PublicKeyType::kUnknown);
228 }
229 }
230 }
231
232 } // namespace
233 } // namespace test
234 } // namespace quic
235