blob: 7575010ce42a1878c51a0217291491135f573082 [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/cert_verify_proc_mac.h"
#include <memory>
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/logging.h"
#include "base/mac/mac_util.h"
#include "base/macros.h"
#include "base/memory/scoped_refptr.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/crl_set.h"
#include "net/cert/test_keychain_search_list_mac.h"
#include "net/cert/test_root_certs.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
#include "net/log/net_log_with_source.h"
#include "net/test/cert_test_util.h"
#include "net/test/gtest_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
using net::test::IsError;
using net::test::IsOk;
namespace net {
namespace {
// Test that a CRLSet blocking one of the intermediates supplied by the server
// can be worked around by the chopping workaround for path building. (Once the
// supplied chain is chopped back to just the target, a better path can be
// found out-of-band. Normally that would be by AIA fetching, for the purposes
// of this test the better path is supplied by a test keychain.)
//
// In this test, there are two possible paths to validate a leaf (A):
// 1. A(B) -> B(C) -> C(E) -> E(E)
// 2. A(B) -> B(F) -> F(E) -> E(E)
//
// A(B) -> B(C) -> C(E) is supplied to the verifier.
// B(F) and F(E) are supplied in a test keychain.
// C is blocked by a CRLset.
//
// The verifier should rollback until it just tries A(B) alone, at which point
// it will pull B(F) & F(E) from the keychain and succeed.
TEST(CertVerifyProcMacTest, MacCRLIntermediate) {
if (base::mac::IsAtLeastOS10_12()) {
// TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
return;
}
CertificateList path_2_certs;
ASSERT_TRUE(
LoadCertificateFiles({"multi-root-A-by-B.pem", "multi-root-B-by-C.pem",
"multi-root-C-by-E.pem", "multi-root-E-by-E.pem"},
&path_2_certs));
CertificateList path_3_certs;
ASSERT_TRUE(
LoadCertificateFiles({"multi-root-A-by-B.pem", "multi-root-B-by-F.pem",
"multi-root-F-by-E.pem", "multi-root-E-by-E.pem"},
&path_3_certs));
// Add E as trust anchor.
ScopedTestRoot test_root_E(path_3_certs[3].get()); // E-by-E
std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
intermediates.push_back(
bssl::UpRef(path_2_certs[1]->cert_buffer())); // B-by-C
intermediates.push_back(
bssl::UpRef(path_2_certs[2]->cert_buffer())); // C-by-E
scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
bssl::UpRef(path_3_certs[0]->cert_buffer()), std::move(intermediates));
ASSERT_TRUE(cert);
std::unique_ptr<TestKeychainSearchList> test_keychain_search_list(
TestKeychainSearchList::Create());
ASSERT_TRUE(test_keychain_search_list);
base::FilePath keychain_path(
GetTestCertsDirectory().AppendASCII("multi-root-BFE.keychain"));
// SecKeychainOpen does not fail if the file doesn't exist, so assert it here
// for easier debugging.
ASSERT_TRUE(base::PathExists(keychain_path));
SecKeychainRef keychain;
OSStatus status =
SecKeychainOpen(keychain_path.MaybeAsASCII().c_str(), &keychain);
ASSERT_EQ(errSecSuccess, status);
ASSERT_TRUE(keychain);
base::ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain);
test_keychain_search_list->AddKeychain(keychain);
scoped_refptr<CRLSet> crl_set;
std::string crl_set_bytes;
// CRL which blocks C by SPKI.
EXPECT_TRUE(base::ReadFileToString(
GetTestCertsDirectory().AppendASCII("multi-root-crlset-C.raw"),
&crl_set_bytes));
ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
int flags = 0;
CertVerifyResult verify_result;
scoped_refptr<CertVerifyProc> verify_proc =
base::MakeRefCounted<CertVerifyProcMac>();
int error = verify_proc->Verify(
cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
/*sct_list=*/std::string(), flags, crl_set.get(), CertificateList(),
&verify_result, NetLogWithSource());
ASSERT_EQ(OK, error);
ASSERT_EQ(0U, verify_result.cert_status);
ASSERT_TRUE(verify_result.verified_cert.get());
const auto& verified_intermediates =
verify_result.verified_cert->intermediate_buffers();
ASSERT_EQ(3U, verified_intermediates.size());
scoped_refptr<X509Certificate> intermediate =
X509Certificate::CreateFromBuffer(
bssl::UpRef(verified_intermediates[1].get()), {});
ASSERT_TRUE(intermediate);
scoped_refptr<X509Certificate> expected_intermediate = path_3_certs[2];
EXPECT_TRUE(expected_intermediate->EqualsExcludingChain(intermediate.get()))
<< "Expected: " << expected_intermediate->subject().common_name
<< " issued by " << expected_intermediate->issuer().common_name
<< "; Got: " << intermediate->subject().common_name << " issued by "
<< intermediate->issuer().common_name;
}
// Test that if a keychain is present which trusts a less-desirable root (ex,
// one using SHA1), that the keychain reordering hack will cause the better
// root in the System Roots to be used instead.
// TODO(crbug.com/867174): Re-enable this test.
TEST(CertVerifyProcMacTest, DISABLED_MacKeychainReordering) {
// Note: target cert expires Dec 30 23:59:59 2019 GMT
scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
GetTestCertsDirectory(), "gms.hongleong.com.my-verisign-chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(cert);
// Create a test keychain search list that will Always Trust the SHA1
// cross-signed VeriSign Class 3 Public Primary Certification Authority - G5
std::unique_ptr<TestKeychainSearchList> test_keychain_search_list(
TestKeychainSearchList::Create());
ASSERT_TRUE(test_keychain_search_list);
base::FilePath keychain_path(GetTestCertsDirectory().AppendASCII(
"verisign_class3_g5_crosssigned-trusted.keychain"));
// SecKeychainOpen does not fail if the file doesn't exist, so assert it here
// for easier debugging.
ASSERT_TRUE(base::PathExists(keychain_path));
SecKeychainRef keychain;
OSStatus status =
SecKeychainOpen(keychain_path.MaybeAsASCII().c_str(), &keychain);
ASSERT_EQ(errSecSuccess, status);
ASSERT_TRUE(keychain);
base::ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain);
test_keychain_search_list->AddKeychain(keychain);
int flags = 0;
CertVerifyResult verify_result;
scoped_refptr<CertVerifyProc> verify_proc =
base::MakeRefCounted<CertVerifyProcMac>();
int error = verify_proc->Verify(
cert.get(), "gms.hongleong.com.my", /*ocsp_response=*/std::string(),
/*sct_list=*/std::string(), flags, CRLSet::BuiltinCRLSet().get(),
CertificateList(), &verify_result, NetLogWithSource());
ASSERT_EQ(OK, error);
EXPECT_FALSE(verify_result.has_sha1);
ASSERT_TRUE(verify_result.verified_cert.get());
const auto& verified_intermediates =
verify_result.verified_cert->intermediate_buffers();
ASSERT_EQ(2U, verified_intermediates.size());
}
// Test that the system root certificate keychain is in the expected location
// and can be opened. Other tests would fail if this was not true, but this
// test makes the reason for the failure obvious.
TEST(CertVerifyProcMacTest, MacSystemRootCertificateKeychainLocation) {
const char* root_keychain_path =
"/System/Library/Keychains/SystemRootCertificates.keychain";
ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
SecKeychainRef keychain;
OSStatus status = SecKeychainOpen(root_keychain_path, &keychain);
ASSERT_EQ(errSecSuccess, status);
CFRelease(keychain);
}
// Test that CertVerifyProcMac reacts appropriately when Apple's certificate
// verifier rejects a certificate with a fatal error. This is a regression
// test for https://crbug.com/472291.
// (Since 10.12, this causes a recoverable error instead of a fatal one.)
// TODO(mattm): Try to find a different way to cause a fatal error that works
// on 10.12.
TEST(CertVerifyProcMacTest, LargeKey) {
// Load root_ca_cert.pem into the test root store.
ScopedTestRoot test_root(
ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
// Apple's verifier rejects this certificate as invalid because the
// RSA key is too large. If a future version of OS X changes this,
// large_key.pem may need to be regenerated with a larger key.
int flags = 0;
CertVerifyResult verify_result;
scoped_refptr<CertVerifyProc> verify_proc =
base::MakeRefCounted<CertVerifyProcMac>();
int error = verify_proc->Verify(
cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
/*sct_list=*/std::string(), flags, CRLSet::BuiltinCRLSet().get(),
CertificateList(), &verify_result, NetLogWithSource());
EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
}
// Test that CertVerifierMac on 10.15+ appropriately flags certificates
// that violate https://support.apple.com/en-us/HT210176 as having
// too long validity, rather than being invalid certificates.
TEST(CertVerifyProcMacTest, CertValidityTooLong) {
// Load root_ca_cert.pem into the test root store.
ScopedTestRoot test_root(
ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
scoped_refptr<X509Certificate> cert(ImportCertFromFile(
GetTestCertsDirectory(), "900_days_after_2019_07_01.pem"));
int flags = 0;
CertVerifyResult verify_result;
scoped_refptr<CertVerifyProc> verify_proc =
base::MakeRefCounted<CertVerifyProcMac>();
int error = verify_proc->Verify(
cert.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
/*sct_list=*/std::string(), flags, CRLSet::BuiltinCRLSet().get(),
CertificateList(), &verify_result, NetLogWithSource());
if (base::mac::IsAtLeastOS10_15()) {
EXPECT_THAT(error, IsError(ERR_CERT_VALIDITY_TOO_LONG));
EXPECT_EQ((verify_result.cert_status & CERT_STATUS_ALL_ERRORS),
CERT_STATUS_VALIDITY_TOO_LONG);
} else {
EXPECT_THAT(error, IsOk());
EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_VALIDITY_TOO_LONG);
EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_INVALID);
}
}
} // namespace
} // namespace net