// Copyright 2016 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/internal/path_builder.h" #include "base/base_paths.h" #include "base/files/file_util.h" #include "base/path_service.h" #include "net/cert/internal/cert_error_params.h" #include "net/cert/internal/cert_issuer_source_static.h" #include "net/cert/internal/common_cert_errors.h" #include "net/cert/internal/parsed_certificate.h" #include "net/cert/internal/simple_path_builder_delegate.h" #include "net/cert/internal/test_helpers.h" #include "net/cert/internal/trust_store_collection.h" #include "net/cert/internal/trust_store_in_memory.h" #include "net/cert/internal/verify_certificate_chain.h" #include "net/cert/pem_tokenizer.h" #include "net/der/input.h" #include "net/test/test_certificate_data.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/boringssl/src/include/openssl/pool.h" namespace net { // TODO(crbug.com/634443): Assert the errors for each ResultPath. namespace { using ::testing::_; using ::testing::Invoke; using ::testing::NiceMock; using ::testing::Return; using ::testing::SaveArg; using ::testing::SetArgPointee; using ::testing::StrictMock; // AsyncCertIssuerSourceStatic always returns its certs asynchronously. class AsyncCertIssuerSourceStatic : public CertIssuerSource { public: class StaticAsyncRequest : public Request { public: StaticAsyncRequest(ParsedCertificateList&& issuers) { issuers_.swap(issuers); issuers_iter_ = issuers_.begin(); } ~StaticAsyncRequest() override = default; void GetNext(ParsedCertificateList* out_certs) override { if (issuers_iter_ != issuers_.end()) out_certs->push_back(std::move(*issuers_iter_++)); } ParsedCertificateList issuers_; ParsedCertificateList::iterator issuers_iter_; DISALLOW_COPY_AND_ASSIGN(StaticAsyncRequest); }; ~AsyncCertIssuerSourceStatic() override = default; void AddCert(scoped_refptr cert) { static_cert_issuer_source_.AddCert(std::move(cert)); } void SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) override {} void AsyncGetIssuersOf(const ParsedCertificate* cert, std::unique_ptr* out_req) override { num_async_gets_++; ParsedCertificateList issuers; static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers); std::unique_ptr req( new StaticAsyncRequest(std::move(issuers))); *out_req = std::move(req); } int num_async_gets() const { return num_async_gets_; } private: CertIssuerSourceStatic static_cert_issuer_source_; int num_async_gets_ = 0; }; ::testing::AssertionResult ReadTestPem(const std::string& file_name, const std::string& block_name, std::string* result) { const PemBlockMapping mappings[] = { {block_name.c_str(), result}, }; return ReadTestDataFromPemFile(file_name, mappings); } ::testing::AssertionResult ReadTestCert( const std::string& file_name, scoped_refptr* result) { std::string der; ::testing::AssertionResult r = ReadTestPem( "net/data/ssl/certificates/" + file_name, "CERTIFICATE", &der); if (!r) return r; CertErrors errors; *result = ParsedCertificate::Create( bssl::UniquePtr(CRYPTO_BUFFER_new( reinterpret_cast(der.data()), der.size(), nullptr)), {}, &errors); if (!*result) { return ::testing::AssertionFailure() << "ParseCertificate::Create() failed:\n" << errors.ToDebugString(); } return ::testing::AssertionSuccess(); } class PathBuilderMultiRootTest : public ::testing::Test { public: PathBuilderMultiRootTest() : delegate_(1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {} void SetUp() override { ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b_)); ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c_)); ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f_)); ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d_)); ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e_)); ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d_)); ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e_)); ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e_)); } protected: scoped_refptr a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_, d_by_d_, e_by_e_, f_by_e_; SimplePathBuilderDelegate delegate_; der::GeneralizedTime time_ = {2017, 3, 1, 0, 0, 0}; const InitialExplicitPolicy initial_explicit_policy_ = InitialExplicitPolicy::kFalse; const std::set user_initial_policy_set_ = {AnyPolicy()}; const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ = InitialPolicyMappingInhibit::kFalse; const InitialAnyPolicyInhibit initial_any_policy_inhibit_ = InitialAnyPolicyInhibit::kFalse; }; // Tests when the target cert has the same name and key as a trust anchor, // however is signed by a different trust anchor. This should successfully build // a path, however the trust anchor will be the signer of this cert. // // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor // but with different data; also in this test the target cert itself is in the // trust store). TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(a_by_b_); trust_store.AddTrustAnchor(b_by_f_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); const auto& path = *result.GetBestValidPath(); ASSERT_EQ(2U, path.certs.size()); EXPECT_EQ(a_by_b_, path.certs[0]); EXPECT_EQ(b_by_f_, path.certs[1]); } // If the target cert is has the same name and key as a trust anchor, however // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI // is trusted, the certificate contents cannot be verified. TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(a_by_b_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); EXPECT_FALSE(result.HasValidPath()); } // Test a failed path building when the trust anchor is provided as a // supplemental certificate. Conceptually the following paths could be built: // // B(C) <- C(D) <- [Trust anchor D] // B(C) <- C(D) <- D(D) <- [Trust anchor D] // // However the second one is extraneous given the shorter path. TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(d_by_d_); // The (extraneous) trust anchor D(D) is supplied as a certificate, as is the // intermediate needed for path building C(D). CertIssuerSourceStatic sync_certs; sync_certs.AddCert(d_by_d_); sync_certs.AddCert(c_by_d_); // C(D) is not valid at this time, so path building will fail. der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0}; CertPathBuilder::Result result; CertPathBuilder path_builder( b_by_c_, &trust_store, &delegate_, expired_time, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_FALSE(result.HasValidPath()); ASSERT_EQ(1U, result.paths.size()); EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path0 = *result.paths[0]; ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(b_by_c_, path0.certs[0]); EXPECT_EQ(c_by_d_, path0.certs[1]); EXPECT_EQ(d_by_d_, path0.certs[2]); } // Test verifying a certificate that is a trust anchor. TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(e_by_e_); // This is not necessary for the test, just an extra... trust_store.AddTrustAnchor(f_by_e_); CertPathBuilder::Result result; CertPathBuilder path_builder( e_by_e_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); // Verifying a trusted leaf certificate is not permitted, however this // certificate is self-signed, and can chain to itself. const auto& path = *result.GetBestValidPath(); ASSERT_EQ(2U, path.certs.size()); EXPECT_EQ(e_by_e_, path.certs[0]); EXPECT_EQ(e_by_e_, path.certs[1]); } // If the target cert is directly issued by a trust anchor, it should verify // without any intermediate certs being provided. TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(b_by_f_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); const auto& path = *result.GetBestValidPath(); ASSERT_EQ(2U, path.certs.size()); EXPECT_EQ(a_by_b_, path.certs[0]); EXPECT_EQ(b_by_f_, path.certs[1]); } // Test that async cert queries are not made if the path can be successfully // built with synchronously available certs. TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(e_by_e_); CertIssuerSourceStatic sync_certs; sync_certs.AddCert(b_by_f_); sync_certs.AddCert(f_by_e_); AsyncCertIssuerSourceStatic async_certs; async_certs.AddCert(b_by_c_); async_certs.AddCert(c_by_e_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&async_certs); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); EXPECT_EQ(0, async_certs.num_async_gets()); } // If async queries are needed, all async sources will be queried // simultaneously. TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(e_by_e_); CertIssuerSourceStatic sync_certs; sync_certs.AddCert(b_by_c_); sync_certs.AddCert(b_by_f_); AsyncCertIssuerSourceStatic async_certs1; async_certs1.AddCert(c_by_e_); AsyncCertIssuerSourceStatic async_certs2; async_certs2.AddCert(f_by_e_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&async_certs1); path_builder.AddCertIssuerSource(&async_certs2); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); EXPECT_EQ(1, async_certs1.num_async_gets()); EXPECT_EQ(1, async_certs2.num_async_gets()); } // Test that PathBuilder does not generate longer paths than necessary if one of // the supplied certs is itself a trust anchor. TEST_F(PathBuilderMultiRootTest, TestLongChain) { // Both D(D) and C(D) are trusted roots. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(d_by_d_); trust_store.AddTrustAnchor(c_by_d_); // Certs B(C), and C(D) are all supplied. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(b_by_c_); sync_certs.AddCert(c_by_d_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); // The result path should be A(B) <- B(C) <- C(D) // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D) EXPECT_EQ(3U, result.GetBestValidPath()->certs.size()); } // Test that PathBuilder will backtrack and try a different path if the first // one doesn't work out. TEST_F(PathBuilderMultiRootTest, TestBacktracking) { // Only D(D) is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(d_by_d_); // Certs B(F) and F(E) are supplied synchronously, thus the path // A(B) <- B(F) <- F(E) should be built first, though it won't verify. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(b_by_f_); sync_certs.AddCert(f_by_e_); // Certs B(C), and C(D) are supplied asynchronously, so the path // A(B) <- B(C) <- C(D) <- D(D) should be tried second. AsyncCertIssuerSourceStatic async_certs; async_certs.AddCert(b_by_c_); async_certs.AddCert(c_by_d_); CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.AddCertIssuerSource(&async_certs); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); // The result path should be A(B) <- B(C) <- C(D) <- D(D) const auto& path = *result.GetBestValidPath(); ASSERT_EQ(4U, path.certs.size()); EXPECT_EQ(a_by_b_, path.certs[0]); EXPECT_EQ(b_by_c_, path.certs[1]); EXPECT_EQ(c_by_d_, path.certs[2]); EXPECT_EQ(d_by_d_, path.certs[3]); } // Test that whichever order CertIssuerSource returns the issuers, the path // building still succeeds. TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) { // Only D(D) is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(d_by_d_); for (bool reverse_order : {false, true}) { SCOPED_TRACE(reverse_order); std::vector> certs = { b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_}; CertIssuerSourceStatic sync_certs; if (reverse_order) { for (auto it = certs.rbegin(); it != certs.rend(); ++it) sync_certs.AddCert(*it); } else { for (const auto& cert : certs) sync_certs.AddCert(cert); } CertPathBuilder::Result result; CertPathBuilder path_builder( a_by_b_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); // The result path should be A(B) <- B(C) <- C(D) <- D(D) const auto& path = *result.GetBestValidPath(); ASSERT_EQ(4U, path.certs.size()); EXPECT_EQ(a_by_b_, path.certs[0]); EXPECT_EQ(b_by_c_, path.certs[1]); EXPECT_EQ(c_by_d_, path.certs[2]); EXPECT_EQ(d_by_d_, path.certs[3]); } } class PathBuilderKeyRolloverTest : public ::testing::Test { public: PathBuilderKeyRolloverTest() : delegate_(1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {} void SetUp() override { ParsedCertificateList path; VerifyCertChainTest test; ASSERT_TRUE(ReadVerifyCertChainTestFromFile( "net/data/verify_certificate_chain_unittest/key-rollover/oldchain.test", &test)); path = test.chain; ASSERT_EQ(3U, path.size()); target_ = path[0]; oldintermediate_ = path[1]; oldroot_ = path[2]; time_ = test.time; ASSERT_TRUE(target_); ASSERT_TRUE(oldintermediate_); ASSERT_TRUE(ReadVerifyCertChainTestFromFile( "net/data/verify_certificate_chain_unittest/" "key-rollover/longrolloverchain.test", &test)); path = test.chain; ASSERT_EQ(5U, path.size()); newintermediate_ = path[1]; newroot_ = path[2]; newrootrollover_ = path[3]; ASSERT_TRUE(newintermediate_); ASSERT_TRUE(newroot_); ASSERT_TRUE(newrootrollover_); } protected: // oldroot-------->newrootrollover newroot // | | | // v v v // oldintermediate newintermediate // | | // +------------+-------------+ // | // v // target scoped_refptr target_; scoped_refptr oldintermediate_; scoped_refptr newintermediate_; scoped_refptr oldroot_; scoped_refptr newroot_; scoped_refptr newrootrollover_; SimplePathBuilderDelegate delegate_; der::GeneralizedTime time_; const InitialExplicitPolicy initial_explicit_policy_ = InitialExplicitPolicy::kFalse; const std::set user_initial_policy_set_ = {AnyPolicy()}; const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_ = InitialPolicyMappingInhibit::kFalse; const InitialAnyPolicyInhibit initial_any_policy_inhibit_ = InitialAnyPolicyInhibit::kFalse; }; // Tests that if only the old root cert is trusted, the path builder can build a // path through the new intermediate and rollover cert to the old root. TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) { // Only oldroot is trusted. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(oldroot_); // Old intermediate cert is not provided, so the pathbuilder will need to go // through the rollover cert. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(newintermediate_); sync_certs.AddCert(newrootrollover_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); // Path builder will first attempt: target <- newintermediate <- oldroot // but it will fail since newintermediate is signed by newroot. ASSERT_EQ(2U, result.paths.size()); const auto& path0 = *result.paths[0]; EXPECT_FALSE(result.paths[0]->IsValid()); ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(target_, path0.certs[0]); EXPECT_EQ(newintermediate_, path0.certs[1]); EXPECT_EQ(oldroot_, path0.certs[2]); // Path builder will next attempt: // target <- newintermediate <- newrootrollover <- oldroot // which will succeed. const auto& path1 = *result.paths[1]; EXPECT_EQ(1U, result.best_result_index); EXPECT_TRUE(result.paths[1]->IsValid()); ASSERT_EQ(4U, path1.certs.size()); EXPECT_EQ(target_, path1.certs[0]); EXPECT_EQ(newintermediate_, path1.certs[1]); EXPECT_EQ(newrootrollover_, path1.certs[2]); EXPECT_EQ(oldroot_, path1.certs[3]); } // Tests that if both old and new roots are trusted it can build a path through // either. // TODO(mattm): Once prioritization is implemented, it should test that it // always builds the path through the new intermediate and new root. TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) { // Both oldroot and newroot are trusted. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(oldroot_); trust_store.AddTrustAnchor(newroot_); // Both old and new intermediates + rollover cert are provided. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(oldintermediate_); sync_certs.AddCert(newintermediate_); sync_certs.AddCert(newrootrollover_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); // Path builder willattempt one of: // target <- oldintermediate <- oldroot // target <- newintermediate <- newroot // either will succeed. ASSERT_EQ(1U, result.paths.size()); const auto& path = *result.paths[0]; EXPECT_TRUE(result.paths[0]->IsValid()); ASSERT_EQ(3U, path.certs.size()); EXPECT_EQ(target_, path.certs[0]); if (path.certs[1] != newintermediate_) { DVLOG(1) << "USED OLD"; EXPECT_EQ(oldintermediate_, path.certs[1]); EXPECT_EQ(oldroot_, path.certs[2]); } else { DVLOG(1) << "USED NEW"; EXPECT_EQ(newintermediate_, path.certs[1]); EXPECT_EQ(newroot_, path.certs[2]); } } // If trust anchor query returned no results, and there are no issuer // sources, path building should fail at that point. TEST_F(PathBuilderKeyRolloverTest, TestAnchorsNoMatchAndNoIssuerSources) { TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); EXPECT_FALSE(result.HasValidPath()); ASSERT_EQ(0U, result.paths.size()); } // Tests that multiple trust root matches on a single path will be considered. // Both roots have the same subject but different keys. Only one of them will // verify. TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) { TrustStoreCollection trust_store_collection; TrustStoreInMemory trust_store1; TrustStoreInMemory trust_store2; trust_store_collection.AddTrustStore(&trust_store1); trust_store_collection.AddTrustStore(&trust_store2); // Add two trust anchors (newroot_ and oldroot_). Path building will attempt // them in this same order, as trust_store1 was added to // trust_store_collection first. trust_store1.AddTrustAnchor(newroot_); trust_store2.AddTrustAnchor(oldroot_); // Only oldintermediate is supplied, so the path with newroot should fail, // oldroot should succeed. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(oldintermediate_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store_collection, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); ASSERT_EQ(2U, result.paths.size()); { // Path builder may first attempt: target <- oldintermediate <- newroot // but it will fail since oldintermediate is signed by oldroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path = *result.paths[0]; ASSERT_EQ(3U, path.certs.size()); EXPECT_EQ(target_, path.certs[0]); EXPECT_EQ(oldintermediate_, path.certs[1]); EXPECT_EQ(newroot_, path.certs[2]); } { // Path builder will next attempt: // target <- old intermediate <- oldroot // which should succeed. EXPECT_TRUE(result.paths[result.best_result_index]->IsValid()); const auto& path = *result.paths[result.best_result_index]; ASSERT_EQ(3U, path.certs.size()); EXPECT_EQ(target_, path.certs[0]); EXPECT_EQ(oldintermediate_, path.certs[1]); EXPECT_EQ(oldroot_, path.certs[2]); } } // Tests that the path builder doesn't build longer than necessary paths. TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) { // Only oldroot is trusted. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(oldroot_); // New intermediate and new root are provided synchronously. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(newintermediate_); sync_certs.AddCert(newroot_); // Rollover cert is only provided asynchronously. This will force the // pathbuilder to first try building a longer than necessary path. AsyncCertIssuerSourceStatic async_certs; async_certs.AddCert(newrootrollover_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.AddCertIssuerSource(&async_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); ASSERT_EQ(3U, result.paths.size()); // Path builder will first attempt: target <- newintermediate <- oldroot // but it will fail since newintermediate is signed by newroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path0 = *result.paths[0]; ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(target_, path0.certs[0]); EXPECT_EQ(newintermediate_, path0.certs[1]); EXPECT_EQ(oldroot_, path0.certs[2]); // Path builder will next attempt: // target <- newintermediate <- newroot <- oldroot // but it will fail since newroot is self-signed. EXPECT_FALSE(result.paths[1]->IsValid()); const auto& path1 = *result.paths[1]; ASSERT_EQ(4U, path1.certs.size()); EXPECT_EQ(target_, path1.certs[0]); EXPECT_EQ(newintermediate_, path1.certs[1]); EXPECT_EQ(newroot_, path1.certs[2]); EXPECT_EQ(oldroot_, path1.certs[3]); // Path builder will skip: // target <- newintermediate <- newroot <- newrootrollover <- ... // Since newroot and newrootrollover have the same Name+SAN+SPKI. // Finally path builder will use: // target <- newintermediate <- newrootrollover <- oldroot EXPECT_EQ(2U, result.best_result_index); EXPECT_TRUE(result.paths[2]->IsValid()); const auto& path2 = *result.paths[2]; ASSERT_EQ(4U, path2.certs.size()); EXPECT_EQ(target_, path2.certs[0]); EXPECT_EQ(newintermediate_, path2.certs[1]); EXPECT_EQ(newrootrollover_, path2.certs[2]); EXPECT_EQ(oldroot_, path2.certs[3]); } // If the target cert is a trust anchor, however is not itself *signed* by a // trust anchor, then it is not considered valid (the SPKI and name of the // trust anchor matches the SPKI and subject of the targe certificate, but the // rest of the certificate cannot be verified). TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) { // Trust newintermediate. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newintermediate_); CertPathBuilder::Result result; // Newintermediate is also the target cert. CertPathBuilder path_builder( newintermediate_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); EXPECT_FALSE(result.HasValidPath()); } // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path // can still be built. // Since LoopChecker will prevent the intermediate from being included, this // currently does NOT verify. This case shouldn't occur in the web PKI. TEST_F(PathBuilderKeyRolloverTest, TestEndEntityHasSameNameAndSpkiAsIntermediate) { // Trust oldroot. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(oldroot_); // New root rollover is provided synchronously. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(newrootrollover_); CertPathBuilder::Result result; // Newroot is the target cert. CertPathBuilder path_builder( newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); // This could actually be OK, but CertPathBuilder does not build the // newroot <- newrootrollover <- oldroot path. EXPECT_FALSE(result.HasValidPath()); } // If target has same Name+SAN+SPKI as the trust root, test that a (trivial) // path can still be built. TEST_F(PathBuilderKeyRolloverTest, TestEndEntityHasSameNameAndSpkiAsTrustAnchor) { // Trust newrootrollover. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newrootrollover_); CertPathBuilder::Result result; // Newroot is the target cert. CertPathBuilder path_builder( newroot_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); const CertPathBuilderResultPath* best_result = result.GetBestValidPath(); // Newroot has same name+SPKI as newrootrollover, thus the path is valid and // only contains newroot. EXPECT_TRUE(best_result->IsValid()); ASSERT_EQ(2U, best_result->certs.size()); EXPECT_EQ(newroot_, best_result->certs[0]); EXPECT_EQ(newrootrollover_, best_result->certs[1]); } // Test that PathBuilder will not try the same path twice if multiple // CertIssuerSources provide the same certificate. TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) { // Create a separate copy of oldintermediate. scoped_refptr oldintermediate_dupe( ParsedCertificate::Create( bssl::UniquePtr(CRYPTO_BUFFER_new( oldintermediate_->der_cert().UnsafeData(), oldintermediate_->der_cert().Length(), nullptr)), {}, nullptr)); // Only newroot is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); // The oldintermediate is supplied synchronously by |sync_certs1| and // another copy of oldintermediate is supplied synchronously by |sync_certs2|. // The path target <- oldintermediate <- newroot should be built first, // though it won't verify. It should not be attempted again even though // oldintermediate was supplied twice. CertIssuerSourceStatic sync_certs1; sync_certs1.AddCert(oldintermediate_); CertIssuerSourceStatic sync_certs2; sync_certs2.AddCert(oldintermediate_dupe); // The newintermediate is supplied asynchronously, so the path // target <- newintermediate <- newroot should be tried second. AsyncCertIssuerSourceStatic async_certs; async_certs.AddCert(newintermediate_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs1); path_builder.AddCertIssuerSource(&sync_certs2); path_builder.AddCertIssuerSource(&async_certs); path_builder.Run(); EXPECT_TRUE(result.HasValidPath()); ASSERT_EQ(2U, result.paths.size()); // Path builder will first attempt: target <- oldintermediate <- newroot // but it will fail since oldintermediate is signed by oldroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path0 = *result.paths[0]; ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(target_, path0.certs[0]); // Compare the DER instead of ParsedCertificate pointer, don't care which copy // of oldintermediate was used in the path. EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert()); EXPECT_EQ(newroot_, path0.certs[2]); // Path builder will next attempt: target <- newintermediate <- newroot // which will succeed. EXPECT_EQ(1U, result.best_result_index); EXPECT_TRUE(result.paths[1]->IsValid()); const auto& path1 = *result.paths[1]; ASSERT_EQ(3U, path1.certs.size()); EXPECT_EQ(target_, path1.certs[0]); EXPECT_EQ(newintermediate_, path1.certs[1]); EXPECT_EQ(newroot_, path1.certs[2]); } // Test when PathBuilder is given a cert via CertIssuerSources that has the same // SPKI as a trust anchor. TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) { // Create a separate copy of newroot. scoped_refptr newroot_dupe(ParsedCertificate::Create( bssl::UniquePtr( CRYPTO_BUFFER_new(newroot_->der_cert().UnsafeData(), newroot_->der_cert().Length(), nullptr)), {}, nullptr)); // Only newroot is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); // The oldintermediate and newroot are supplied synchronously by |sync_certs|. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(oldintermediate_); sync_certs.AddCert(newroot_dupe); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&sync_certs); path_builder.Run(); EXPECT_FALSE(result.HasValidPath()); ASSERT_EQ(1U, result.paths.size()); // Path builder attempt: target <- oldintermediate <- newroot // but it will fail since oldintermediate is signed by oldroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path = *result.paths[0]; ASSERT_EQ(3U, path.certs.size()); EXPECT_EQ(target_, path.certs[0]); EXPECT_EQ(oldintermediate_, path.certs[1]); // Compare the DER instead of ParsedCertificate pointer, don't care which copy // of newroot was used in the path. EXPECT_EQ(newroot_->der_cert(), path.certs[2]->der_cert()); } class MockCertIssuerSourceRequest : public CertIssuerSource::Request { public: MOCK_METHOD1(GetNext, void(ParsedCertificateList*)); }; class MockCertIssuerSource : public CertIssuerSource { public: MOCK_METHOD2(SyncGetIssuersOf, void(const ParsedCertificate*, ParsedCertificateList*)); MOCK_METHOD2(AsyncGetIssuersOf, void(const ParsedCertificate*, std::unique_ptr*)); }; // Helper class to pass the Request to the PathBuilder when it calls // AsyncGetIssuersOf. (GoogleMock has a ByMove helper, but it apparently can // only be used with Return, not SetArgPointee.) class CertIssuerSourceRequestMover { public: CertIssuerSourceRequestMover(std::unique_ptr req) : request_(std::move(req)) {} void MoveIt(const ParsedCertificate* cert, std::unique_ptr* out_req) { *out_req = std::move(request_); } private: std::unique_ptr request_; }; // Functor that when called with a ParsedCertificateList* will append the // specified certificate. class AppendCertToList { public: explicit AppendCertToList(const scoped_refptr& cert) : cert_(cert) {} void operator()(ParsedCertificateList* out) { out->push_back(cert_); } private: scoped_refptr cert_; }; // Test that a single CertIssuerSource returning multiple async batches of // issuers is handled correctly. Due to the StrictMocks, it also tests that path // builder does not request issuers of certs that it shouldn't. TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncIssuersFromSingleSource) { StrictMock cert_issuer_source; // Only newroot is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&cert_issuer_source); // Create the mock CertIssuerSource::Request... std::unique_ptr> target_issuers_req_owner(new StrictMock()); // Keep a raw pointer to the Request... StrictMock* target_issuers_req = target_issuers_req_owner.get(); // Setup helper class to pass ownership of the Request to the PathBuilder when // it calls AsyncGetIssuersOf. CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); { ::testing::InSequence s; EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _)) .WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt)); } EXPECT_CALL(*target_issuers_req, GetNext(_)) // First async batch: return oldintermediate_. .WillOnce(Invoke(AppendCertToList(oldintermediate_))) // Second async batch: return newintermediate_. .WillOnce(Invoke(AppendCertToList(newintermediate_))); { ::testing::InSequence s; // oldintermediate_ does not create a valid path, so both sync and async // lookups are expected. EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(oldintermediate_.get(), _)); EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(oldintermediate_.get(), _)); } // newroot_ is in the trust store, so this path will be completed // synchronously. AsyncGetIssuersOf will not be called on newintermediate_. EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); // Ensure pathbuilder finished and filled result. path_builder.Run(); // Note that VerifyAndClearExpectations(target_issuers_req) is not called // here. PathBuilder could have destroyed it already, so just let the // expectations get checked by the destructor. ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); EXPECT_TRUE(result.HasValidPath()); ASSERT_EQ(2U, result.paths.size()); // Path builder first attempts: target <- oldintermediate <- newroot // but it will fail since oldintermediate is signed by oldroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path0 = *result.paths[0]; ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(target_, path0.certs[0]); EXPECT_EQ(oldintermediate_, path0.certs[1]); EXPECT_EQ(newroot_, path0.certs[2]); // After the second batch of async results, path builder will attempt: // target <- newintermediate <- newroot which will succeed. EXPECT_TRUE(result.paths[1]->IsValid()); const auto& path1 = *result.paths[1]; ASSERT_EQ(3U, path1.certs.size()); EXPECT_EQ(target_, path1.certs[0]); EXPECT_EQ(newintermediate_, path1.certs[1]); EXPECT_EQ(newroot_, path1.certs[2]); } // Test that PathBuilder will not try the same path twice if CertIssuerSources // asynchronously provide the same certificate multiple times. TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) { StrictMock cert_issuer_source; // Only newroot is a trusted root. TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); CertPathBuilder::Result result; CertPathBuilder path_builder( target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU, initial_explicit_policy_, user_initial_policy_set_, initial_policy_mapping_inhibit_, initial_any_policy_inhibit_, &result); path_builder.AddCertIssuerSource(&cert_issuer_source); // Create the mock CertIssuerSource::Request... std::unique_ptr> target_issuers_req_owner(new StrictMock()); // Keep a raw pointer to the Request... StrictMock* target_issuers_req = target_issuers_req_owner.get(); // Setup helper class to pass ownership of the Request to the PathBuilder when // it calls AsyncGetIssuersOf. CertIssuerSourceRequestMover req_mover(std::move(target_issuers_req_owner)); { ::testing::InSequence s; EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(target_.get(), _)); EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(target_.get(), _)) .WillOnce(Invoke(&req_mover, &CertIssuerSourceRequestMover::MoveIt)); } scoped_refptr oldintermediate_dupe( ParsedCertificate::Create( bssl::UniquePtr(CRYPTO_BUFFER_new( oldintermediate_->der_cert().UnsafeData(), oldintermediate_->der_cert().Length(), nullptr)), {}, nullptr)); EXPECT_CALL(*target_issuers_req, GetNext(_)) // First async batch: return oldintermediate_. .WillOnce(Invoke(AppendCertToList(oldintermediate_))) // Second async batch: return a different copy of oldintermediate_ again. .WillOnce(Invoke(AppendCertToList(oldintermediate_dupe))) // Third async batch: return newintermediate_. .WillOnce(Invoke(AppendCertToList(newintermediate_))); { ::testing::InSequence s; // oldintermediate_ does not create a valid path, so both sync and async // lookups are expected. EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(oldintermediate_.get(), _)); EXPECT_CALL(cert_issuer_source, AsyncGetIssuersOf(oldintermediate_.get(), _)); } // newroot_ is in the trust store, so this path will be completed // synchronously. AsyncGetIssuersOf will not be called on newintermediate_. EXPECT_CALL(cert_issuer_source, SyncGetIssuersOf(newintermediate_.get(), _)); // Ensure pathbuilder finished and filled result. path_builder.Run(); ::testing::Mock::VerifyAndClearExpectations(&cert_issuer_source); EXPECT_TRUE(result.HasValidPath()); ASSERT_EQ(2U, result.paths.size()); // Path builder first attempts: target <- oldintermediate <- newroot // but it will fail since oldintermediate is signed by oldroot. EXPECT_FALSE(result.paths[0]->IsValid()); const auto& path0 = *result.paths[0]; ASSERT_EQ(3U, path0.certs.size()); EXPECT_EQ(target_, path0.certs[0]); EXPECT_EQ(oldintermediate_, path0.certs[1]); EXPECT_EQ(newroot_, path0.certs[2]); // The second async result does not generate any path. // After the third batch of async results, path builder will attempt: // target <- newintermediate <- newroot which will succeed. EXPECT_TRUE(result.paths[1]->IsValid()); const auto& path1 = *result.paths[1]; ASSERT_EQ(3U, path1.certs.size()); EXPECT_EQ(target_, path1.certs[0]); EXPECT_EQ(newintermediate_, path1.certs[1]); EXPECT_EQ(newroot_, path1.certs[2]); } class PathBuilderSimpleChainTest : public ::testing::Test { public: PathBuilderSimpleChainTest() = default; protected: void SetUp() override { // Read a simple test chain comprised of a target, intermediate, and root. ASSERT_TRUE(ReadVerifyCertChainTestFromFile( "net/data/verify_certificate_chain_unittest/target-and-intermediate/" "main.test", &test_)); ASSERT_EQ(3u, test_.chain.size()); } // Runs the path builder for the target certificate while |distrusted_cert| is // blacklisted, and |delegate| if non-null. void RunPathBuilder(const scoped_refptr& distrusted_cert, CertPathBuilderDelegate* optional_delegate, CertPathBuilder::Result* result) { ASSERT_EQ(3u, test_.chain.size()); // Set up the trust store such that |distrusted_cert| is blacklisted, and // the root is trusted (except if it was |distrusted_cert|). TrustStoreInMemory trust_store; if (distrusted_cert != test_.chain.back()) trust_store.AddTrustAnchor(test_.chain.back()); if (distrusted_cert) trust_store.AddDistrustedCertificateForTest(distrusted_cert); // Add the single intermediate. CertIssuerSourceStatic intermediates; intermediates.AddCert(test_.chain[1]); SimplePathBuilderDelegate default_delegate( 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); CertPathBuilderDelegate* delegate = optional_delegate ? optional_delegate : &default_delegate; const InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse; const std::set user_initial_policy_set = {AnyPolicy()}; const InitialPolicyMappingInhibit initial_policy_mapping_inhibit = InitialPolicyMappingInhibit::kFalse; const InitialAnyPolicyInhibit initial_any_policy_inhibit = InitialAnyPolicyInhibit::kFalse; CertPathBuilder path_builder( test_.chain.front(), &trust_store, delegate, test_.time, KeyPurpose::ANY_EKU, initial_explicit_policy, user_initial_policy_set, initial_policy_mapping_inhibit, initial_any_policy_inhibit, result); path_builder.AddCertIssuerSource(&intermediates); path_builder.Run(); } protected: VerifyCertChainTest test_; }; // Test fixture for running the path builder over a simple chain, while varying // the trustedness of certain certificates. class PathBuilderDistrustTest : public PathBuilderSimpleChainTest { public: PathBuilderDistrustTest() = default; protected: // Runs the path builder for the target certificate while |distrusted_cert| is // blacklisted. void RunPathBuilderWithDistrustedCert( const scoped_refptr& distrusted_cert, CertPathBuilder::Result* result) { RunPathBuilder(distrusted_cert, nullptr, result); } }; // Tests that path building fails when the target, intermediate, or root are // distrusted (but the path is otherwise valid). TEST_F(PathBuilderDistrustTest, TargetIntermediateRoot) { CertPathBuilder::Result result; // First do a control test -- path building without any blacklisted // certificates should work. RunPathBuilderWithDistrustedCert(nullptr, &result); { EXPECT_TRUE(result.HasValidPath()); // The built path should be identical the the one read from disk. const auto& path = *result.GetBestValidPath(); ASSERT_EQ(test_.chain.size(), path.certs.size()); for (size_t i = 0; i < test_.chain.size(); ++i) EXPECT_EQ(test_.chain[i], path.certs[i]); } // Try path building when only the target is blacklisted - should fail. RunPathBuilderWithDistrustedCert(test_.chain[0], &result); { EXPECT_FALSE(result.HasValidPath()); ASSERT_LT(result.best_result_index, result.paths.size()); const auto& best_path = result.paths[result.best_result_index]; // The built chain has length 1 since path building stopped once // it encountered the blacklisted certificate (target). ASSERT_EQ(1u, best_path->certs.size()); EXPECT_EQ(best_path->certs[0], test_.chain[0]); EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); } // Try path building when only the intermediate is blacklisted - should fail. RunPathBuilderWithDistrustedCert(test_.chain[1], &result); { EXPECT_FALSE(result.HasValidPath()); ASSERT_LT(result.best_result_index, result.paths.size()); const auto& best_path = result.paths[result.best_result_index]; // The built chain has length 2 since path building stopped once // it encountered the blacklisted certificate (intermediate). ASSERT_EQ(2u, best_path->certs.size()); EXPECT_EQ(best_path->certs[0], test_.chain[0]); EXPECT_EQ(best_path->certs[1], test_.chain[1]); EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); } // Try path building when only the root is blacklisted - should fail. RunPathBuilderWithDistrustedCert(test_.chain[2], &result); { EXPECT_FALSE(result.HasValidPath()); ASSERT_LT(result.best_result_index, result.paths.size()); const auto& best_path = result.paths[result.best_result_index]; // The built chain has length 3 since path building stopped once // it encountered the blacklisted certificate (root). ASSERT_EQ(3u, best_path->certs.size()); EXPECT_EQ(best_path->certs[0], test_.chain[0]); EXPECT_EQ(best_path->certs[1], test_.chain[1]); EXPECT_EQ(best_path->certs[2], test_.chain[2]); EXPECT_TRUE(best_path->errors.ContainsHighSeverityErrors()); best_path->errors.ContainsError(cert_errors::kDistrustedByTrustStore); } } // Test fixture for running the path builder over a simple chain, while varying // what CheckPathAfterVerification() does. class PathBuilderCheckPathAfterVerificationTest : public PathBuilderSimpleChainTest {}; class CertPathBuilderDelegateBase : public SimplePathBuilderDelegate { public: CertPathBuilderDelegateBase() : SimplePathBuilderDelegate( 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {} void CheckPathAfterVerification(CertPathBuilderResultPath* path) override { ADD_FAILURE() << "Tests must override this"; } }; class MockPathBuilderDelegate : public CertPathBuilderDelegateBase { public: MOCK_METHOD1(CheckPathAfterVerification, void(CertPathBuilderResultPath* path)); }; TEST_F(PathBuilderCheckPathAfterVerificationTest, NoOpToValidPath) { CertPathBuilder::Result result; StrictMock delegate; // Just verify that the hook is called. EXPECT_CALL(delegate, CheckPathAfterVerification(_)); RunPathBuilder(nullptr, &delegate, &result); EXPECT_TRUE(result.HasValidPath()); } DEFINE_CERT_ERROR_ID(kWarningFromDelegate, "Warning from delegate"); class AddWarningPathBuilderDelegate : public CertPathBuilderDelegateBase { public: void CheckPathAfterVerification(CertPathBuilderResultPath* path) override { path->errors.GetErrorsForCert(1)->AddWarning(kWarningFromDelegate, nullptr); } }; TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsWarningToValidPath) { CertPathBuilder::Result result; AddWarningPathBuilderDelegate delegate; RunPathBuilder(nullptr, &delegate, &result); ASSERT_TRUE(result.HasValidPath()); // A warning should have been added to certificate at index 1 in the path. const CertErrors* cert1_errors = result.GetBestValidPath()->errors.GetErrorsForCert(1); ASSERT_TRUE(cert1_errors); EXPECT_TRUE(cert1_errors->ContainsError(kWarningFromDelegate)); } DEFINE_CERT_ERROR_ID(kErrorFromDelegate, "Error from delegate"); class AddErrorPathBuilderDelegate : public CertPathBuilderDelegateBase { public: void CheckPathAfterVerification(CertPathBuilderResultPath* path) override { path->errors.GetErrorsForCert(2)->AddError(kErrorFromDelegate, nullptr); } }; TEST_F(PathBuilderCheckPathAfterVerificationTest, AddsErrorToValidPath) { CertPathBuilder::Result result; AddErrorPathBuilderDelegate delegate; RunPathBuilder(nullptr, &delegate, &result); // Verification failed. ASSERT_FALSE(result.HasValidPath()); ASSERT_LT(result.best_result_index, result.paths.size()); const CertPathBuilderResultPath* failed_path = result.paths[result.best_result_index].get(); ASSERT_TRUE(failed_path); // An error should have been added to certificate at index 2 in the path. const CertErrors* cert2_errors = failed_path->errors.GetErrorsForCert(2); ASSERT_TRUE(cert2_errors); EXPECT_TRUE(cert2_errors->ContainsError(kErrorFromDelegate)); } TEST_F(PathBuilderCheckPathAfterVerificationTest, NoopToAlreadyInvalidPath) { CertPathBuilder::Result result; StrictMock delegate; // Just verify that the hook is called (on an invalid path). EXPECT_CALL(delegate, CheckPathAfterVerification(_)); // Run the pathbuilder with certificate at index 1 actively distrusted. RunPathBuilder(test_.chain[1], &delegate, &result); EXPECT_FALSE(result.HasValidPath()); } struct DelegateData : public CertPathBuilderDelegateData { int value = 0xB33F; }; class SetsDelegateDataPathBuilderDelegate : public CertPathBuilderDelegateBase { public: void CheckPathAfterVerification(CertPathBuilderResultPath* path) override { path->delegate_data = std::make_unique(); } }; TEST_F(PathBuilderCheckPathAfterVerificationTest, SetsDelegateData) { CertPathBuilder::Result result; SetsDelegateDataPathBuilderDelegate delegate; RunPathBuilder(nullptr, &delegate, &result); ASSERT_TRUE(result.HasValidPath()); DelegateData* data = reinterpret_cast( result.GetBestValidPath()->delegate_data.get()); EXPECT_EQ(0xB33F, data->value); } } // namespace } // namespace net