xref: /aosp_15_r20/external/cronet/net/cert/cert_verifier_unittest.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1*6777b538SAndroid Build Coastguard Worker // Copyright 2016 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_verifier.h"
6*6777b538SAndroid Build Coastguard Worker 
7*6777b538SAndroid Build Coastguard Worker #include "base/files/file_path.h"
8*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h"
9*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate.h"
10*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_util.h"
11*6777b538SAndroid Build Coastguard Worker #include "net/test/cert_test_util.h"
12*6777b538SAndroid Build Coastguard Worker #include "net/test/test_data_directory.h"
13*6777b538SAndroid Build Coastguard Worker #include "testing/gtest/include/gtest/gtest.h"
14*6777b538SAndroid Build Coastguard Worker 
15*6777b538SAndroid Build Coastguard Worker namespace net {
16*6777b538SAndroid Build Coastguard Worker 
TEST(CertVerifierTest,RequestParamsComparators)17*6777b538SAndroid Build Coastguard Worker TEST(CertVerifierTest, RequestParamsComparators) {
18*6777b538SAndroid Build Coastguard Worker   const scoped_refptr<X509Certificate> ok_cert =
19*6777b538SAndroid Build Coastguard Worker       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
20*6777b538SAndroid Build Coastguard Worker   ASSERT_TRUE(ok_cert.get());
21*6777b538SAndroid Build Coastguard Worker 
22*6777b538SAndroid Build Coastguard Worker   const scoped_refptr<X509Certificate> expired_cert =
23*6777b538SAndroid Build Coastguard Worker       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
24*6777b538SAndroid Build Coastguard Worker   ASSERT_TRUE(expired_cert.get());
25*6777b538SAndroid Build Coastguard Worker 
26*6777b538SAndroid Build Coastguard Worker   const scoped_refptr<X509Certificate> root_cert =
27*6777b538SAndroid Build Coastguard Worker       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
28*6777b538SAndroid Build Coastguard Worker   ASSERT_TRUE(root_cert.get());
29*6777b538SAndroid Build Coastguard Worker 
30*6777b538SAndroid Build Coastguard Worker   // Create a certificate that contains both a leaf and an
31*6777b538SAndroid Build Coastguard Worker   // intermediate/root.
32*6777b538SAndroid Build Coastguard Worker   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain;
33*6777b538SAndroid Build Coastguard Worker   chain.push_back(bssl::UpRef(root_cert->cert_buffer()));
34*6777b538SAndroid Build Coastguard Worker   const scoped_refptr<X509Certificate> combined_cert =
35*6777b538SAndroid Build Coastguard Worker       X509Certificate::CreateFromBuffer(bssl::UpRef(ok_cert->cert_buffer()),
36*6777b538SAndroid Build Coastguard Worker                                         std::move(chain));
37*6777b538SAndroid Build Coastguard Worker   ASSERT_TRUE(combined_cert.get());
38*6777b538SAndroid Build Coastguard Worker 
39*6777b538SAndroid Build Coastguard Worker   struct {
40*6777b538SAndroid Build Coastguard Worker     // Keys to test
41*6777b538SAndroid Build Coastguard Worker     CertVerifier::RequestParams key1;
42*6777b538SAndroid Build Coastguard Worker     CertVerifier::RequestParams key2;
43*6777b538SAndroid Build Coastguard Worker 
44*6777b538SAndroid Build Coastguard Worker     // Whether or not |key1| and |key2| are expected to be equal.
45*6777b538SAndroid Build Coastguard Worker     bool equal;
46*6777b538SAndroid Build Coastguard Worker   } tests[] = {
47*6777b538SAndroid Build Coastguard Worker       {
48*6777b538SAndroid Build Coastguard Worker           // Test for basic equivalence.
49*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
50*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
51*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
52*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
53*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
54*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
55*6777b538SAndroid Build Coastguard Worker           true,
56*6777b538SAndroid Build Coastguard Worker       },
57*6777b538SAndroid Build Coastguard Worker       {
58*6777b538SAndroid Build Coastguard Worker           // Test that different certificates but with the same CA and for
59*6777b538SAndroid Build Coastguard Worker           // the same host are different validation keys.
60*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
61*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
62*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
63*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(expired_cert, "www.example.test", 0,
64*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
65*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
66*6777b538SAndroid Build Coastguard Worker           false,
67*6777b538SAndroid Build Coastguard Worker       },
68*6777b538SAndroid Build Coastguard Worker       {
69*6777b538SAndroid Build Coastguard Worker           // Test that the same EE certificate for the same host, but with
70*6777b538SAndroid Build Coastguard Worker           // different chains are different validation keys.
71*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
72*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
73*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
74*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(combined_cert, "www.example.test", 0,
75*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
76*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
77*6777b538SAndroid Build Coastguard Worker           false,
78*6777b538SAndroid Build Coastguard Worker       },
79*6777b538SAndroid Build Coastguard Worker       {
80*6777b538SAndroid Build Coastguard Worker           // The same certificate, with the same chain, but for different
81*6777b538SAndroid Build Coastguard Worker           // hosts are different validation keys.
82*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www1.example.test", 0,
83*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
84*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
85*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www2.example.test", 0,
86*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
87*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
88*6777b538SAndroid Build Coastguard Worker           false,
89*6777b538SAndroid Build Coastguard Worker       },
90*6777b538SAndroid Build Coastguard Worker       {
91*6777b538SAndroid Build Coastguard Worker           // The same certificate, chain, and host, but with different flags
92*6777b538SAndroid Build Coastguard Worker           // are different validation keys.
93*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(
94*6777b538SAndroid Build Coastguard Worker               ok_cert, "www.example.test",
95*6777b538SAndroid Build Coastguard Worker               CertVerifier::VERIFY_DISABLE_NETWORK_FETCHES,
96*6777b538SAndroid Build Coastguard Worker               /*ocsp_response=*/std::string(),
97*6777b538SAndroid Build Coastguard Worker               /*sct_list=*/std::string()),
98*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
99*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
100*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
101*6777b538SAndroid Build Coastguard Worker           false,
102*6777b538SAndroid Build Coastguard Worker       },
103*6777b538SAndroid Build Coastguard Worker       {
104*6777b538SAndroid Build Coastguard Worker           // Different OCSP responses.
105*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
106*6777b538SAndroid Build Coastguard Worker                                       "ocsp response",
107*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
108*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
109*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
110*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
111*6777b538SAndroid Build Coastguard Worker           false,
112*6777b538SAndroid Build Coastguard Worker       },
113*6777b538SAndroid Build Coastguard Worker       {
114*6777b538SAndroid Build Coastguard Worker           // Different SignedCertificateTimestampList.
115*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
116*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
117*6777b538SAndroid Build Coastguard Worker                                       "sct list"),
118*6777b538SAndroid Build Coastguard Worker           CertVerifier::RequestParams(ok_cert, "www.example.test", 0,
119*6777b538SAndroid Build Coastguard Worker                                       /*ocsp_response=*/std::string(),
120*6777b538SAndroid Build Coastguard Worker                                       /*sct_list=*/std::string()),
121*6777b538SAndroid Build Coastguard Worker           false,
122*6777b538SAndroid Build Coastguard Worker       },
123*6777b538SAndroid Build Coastguard Worker   };
124*6777b538SAndroid Build Coastguard Worker   for (const auto& test : tests) {
125*6777b538SAndroid Build Coastguard Worker     const CertVerifier::RequestParams& key1 = test.key1;
126*6777b538SAndroid Build Coastguard Worker     const CertVerifier::RequestParams& key2 = test.key2;
127*6777b538SAndroid Build Coastguard Worker 
128*6777b538SAndroid Build Coastguard Worker     // Ensure that the keys are equivalent to themselves.
129*6777b538SAndroid Build Coastguard Worker     EXPECT_FALSE(key1 < key1);
130*6777b538SAndroid Build Coastguard Worker     EXPECT_FALSE(key2 < key2);
131*6777b538SAndroid Build Coastguard Worker 
132*6777b538SAndroid Build Coastguard Worker     if (test.equal) {
133*6777b538SAndroid Build Coastguard Worker       EXPECT_TRUE(!(key1 < key2) && !(key2 < key1));
134*6777b538SAndroid Build Coastguard Worker     } else {
135*6777b538SAndroid Build Coastguard Worker       EXPECT_TRUE((key1 < key2) || (key2 < key1));
136*6777b538SAndroid Build Coastguard Worker     }
137*6777b538SAndroid Build Coastguard Worker   }
138*6777b538SAndroid Build Coastguard Worker }
139*6777b538SAndroid Build Coastguard Worker 
140*6777b538SAndroid Build Coastguard Worker }  // namespace net
141