diff --git a/chrome/browser/ssl/ocsp_browsertest.cc b/chrome/browser/ssl/ocsp_browsertest.cc index a071967863808..943d83d3257c6 100644 --- a/chrome/browser/ssl/ocsp_browsertest.cc +++ b/chrome/browser/ssl/ocsp_browsertest.cc @@ -27,6 +27,7 @@ #include "net/cert/ev_root_ca_metadata.h" #include "net/test/cert_test_util.h" #include "net/test/embedded_test_server/embedded_test_server.h" +#include "net/test/test_data_directory.h" #include "services/network/public/cpp/features.h" #include "services/network/public/mojom/ssl_config.mojom.h" #include "third_party/blink/public/common/features.h" @@ -35,14 +36,6 @@ namespace AuthState = ssl_test_util::AuthState; namespace { -// SHA256 hash of the testserver root_ca_cert DER. -// openssl x509 -in root_ca_cert.pem -outform der | \ -// openssl dgst -sha256 -binary | xxd -i -static const net::SHA256HashValue kTestRootCertHash = { - {0xb2, 0xab, 0xa3, 0xa5, 0xd4, 0x11, 0x56, 0xcb, 0xb9, 0x23, 0x35, - 0x07, 0x6d, 0x0b, 0x51, 0xbe, 0xd3, 0xee, 0x2e, 0xab, 0xe7, 0xab, - 0x6b, 0xad, 0xcc, 0x2a, 0xfa, 0x35, 0xfb, 0x8e, 0x31, 0x5e}}; - // The test EV policy OID used for generated certs. static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1"; @@ -84,8 +77,12 @@ class OCSPBrowserTest : public PlatformBrowserTest, // TODO(https://crbug.com/1085233): when the CertVerifierService is moved // out of process, the ScopedTestEVPolicy needs to be instantiated in // that process. + scoped_refptr root_cert = net::ImportCertFromFile( + net::GetTestCertsDirectory(), "root_ca_cert.pem"); + ASSERT_TRUE(root_cert); ev_test_policy_ = std::make_unique( - net::EVRootCAMetadata::GetInstance(), kTestRootCertHash, + net::EVRootCAMetadata::GetInstance(), + net::X509Certificate::CalculateFingerprint256(root_cert->cert_buffer()), kOCSPTestCertPolicy); } diff --git a/chrome/common/net/x509_certificate_model_nss_unittest.cc b/chrome/common/net/x509_certificate_model_nss_unittest.cc index 17073895af6fc..1e4f1a57bf7a6 100644 --- a/chrome/common/net/x509_certificate_model_nss_unittest.cc +++ b/chrome/common/net/x509_certificate_model_nss_unittest.cc @@ -384,25 +384,17 @@ TEST_F(X509CertificateModelTest, ProcessSubjectPublicKeyInfo) { TEST_F(X509CertificateModelTest, ProcessRawBitsSignatureWrap) { net::ScopedCERTCertificate cert(net::ImportCERTCertificateFromFile( - net::GetTestCertsDirectory(), "root_ca_cert.pem")); + net::GetTestCertsDirectory(), "google.single.pem")); ASSERT_TRUE(cert.get()); EXPECT_EQ( - "B1 B1 83 61 AF DB ED 98 CF 3D 43 5F A7 42 B8 6D\n" - "94 36 57 BB AB 04 EE DD 3B B7 6D EC 78 7D 46 59\n" - "B1 E6 2A C3 AA A5 70 A7 E1 0C FA 65 37 C6 CB 7D\n" - "A1 37 35 A1 FF F0 DD CE B6 A4 2C 12 D4 46 A9 9C\n" - "A2 91 3A B0 95 55 97 55 E6 0A DA 63 60 24 19 AC\n" - "20 C9 B1 94 40 E9 99 B1 F5 C3 ED 61 5D DE 4C E4\n" - "EB D9 0E AC 3A 0A FC 44 7D 0F 77 A6 B6 DA 28 D4\n" - "ED EA 3A BC 57 23 9C 72 2B 2D B0 5D 11 02 4D C5\n" - "BC B0 D6 7E 00 8E F7 E7 F5 19 3A 23 DF 33 02 AA\n" - "4B BF 81 F4 5A 99 EE 74 20 F3 77 A1 F0 85 1E A8\n" - "D6 CC A4 CB 31 FA 73 24 A2 0E DD 9F 6F 82 38 5F\n" - "85 AC 8D 76 BD D8 F2 69 73 E3 46 44 42 E3 5E F3\n" - "AA 5E 44 13 51 EA 0B 78 91 77 96 EE 73 FE 2A B5\n" - "88 C1 38 8D 8D A8 19 76 94 05 02 CF D4 6F EB E6\n" - "07 F5 9D 52 24 B8 50 A3 0E C4 45 A6 09 B4 06 2D\n" - "3E 14 A5 3F 1C 1A BC DA B8 40 3E C1 1C F6 3C 05", + "9F 43 CF 5B C4 50 29 B1 BF E2 B0 9A FF 6A 21 1D\n" + "2D 12 C3 2C 4E 5A F9 12 E2 CE B9 82 52 2D E7 1D\n" + "7E 1A 76 96 90 79 D1 24 52 38 79 BB 63 8D 80 97\n" + "7C 23 20 0F 91 4D 16 B9 EA EE F4 6D 89 CA C6 BD\n" + "CC 24 68 D6 43 5B CE 2A 58 BF 3C 18 E0 E0 3C 62\n" + "CF 96 02 2D 28 47 50 34 E1 27 BA CF 99 D1 50 FF\n" + "29 25 C0 36 36 15 33 52 70 BE 31 8F 9F E8 7F E7\n" + "11 0C 8D BF 84 A0 42 1A 80 89 B0 31 58 41 07 5F", x509_certificate_model::ProcessRawBitsSignatureWrap(cert.get())); } diff --git a/net/cert/nss_cert_database_unittest.cc b/net/cert/nss_cert_database_unittest.cc index 74c8c2273243c..eb191f3bce3e7 100644 --- a/net/cert/nss_cert_database_unittest.cc +++ b/net/cert/nss_cert_database_unittest.cc @@ -543,12 +543,20 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert) { // All the certs in the imported list should now be found in the NSS DB. ScopedCERTCertificateList cert_list = ListCerts(); ASSERT_EQ(3U, cert_list.size()); - CERTCertificate* found_server_cert = cert_list[1].get(); - CERTCertificate* found_intermediate_cert = cert_list[2].get(); - CERTCertificate* found_root_cert = cert_list[0].get(); - EXPECT_EQ("127.0.0.1", GetSubjectCN(found_server_cert)); - EXPECT_EQ("Test Intermediate CA", GetSubjectCN(found_intermediate_cert)); - EXPECT_EQ("Test Root CA", GetSubjectCN(found_root_cert)); + CERTCertificate* found_server_cert = nullptr; + CERTCertificate* found_intermediate_cert = nullptr; + CERTCertificate* found_root_cert = nullptr; + for (const auto& cert : cert_list) { + if (GetSubjectCN(cert.get()) == "127.0.0.1") + found_server_cert = cert.get(); + else if (GetSubjectCN(cert.get()) == "Test Intermediate CA") + found_intermediate_cert = cert.get(); + else if (GetSubjectCN(cert.get()) == "Test Root CA") + found_root_cert = cert.get(); + } + ASSERT_TRUE(found_server_cert); + ASSERT_TRUE(found_intermediate_cert); + ASSERT_TRUE(found_root_cert); EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, cert_db_->GetCertTrust(found_server_cert, SERVER_CERT)); diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc index 0fccae702ba12..8484d09dbe46e 100644 --- a/net/http/transport_security_state_unittest.cc +++ b/net/http/transport_security_state_unittest.cc @@ -1318,7 +1318,8 @@ TEST_F(TransportSecurityStateTest, ExpectCTReporter) { EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); - EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), + ASSERT_EQ(1u, ssl_info.signed_certificate_timestamps.size()); + ASSERT_EQ(ssl_info.signed_certificate_timestamps.size(), reporter.signed_certificate_timestamps().size()); EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, reporter.signed_certificate_timestamps()[0].status); diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index 825e733b1aa9d..528c686ea0a15 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -665,6 +665,25 @@ class OCSPErrorTestDelegate : public TestDelegate { SSLInfo ssl_info_; }; +#if !defined(OS_IOS) +// Compute the root cert's SPKI hash on the fly, to avoid hardcoding it within +// tests. +bool GetTestRootCertSPKIHash(SHA256HashValue* root_hash) { + scoped_refptr root_cert = + ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); + if (!root_cert) + return false; + base::StringPiece root_spki; + if (!asn1::ExtractSPKIFromDERCert( + x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()), + &root_spki)) { + return false; + } + crypto::SHA256HashString(root_spki, root_hash, sizeof(SHA256HashValue)); + return true; +} +#endif + } // namespace // Inherit PlatformTest since we require the autorelease pool on Mac OS X. @@ -10707,22 +10726,6 @@ class HTTPSCertNetFetchingTest : public HTTPSRequestTest { TestURLRequestContext context_; }; -// SHA256 hash of the testserver root_ca_cert DER. -// openssl x509 -in root_ca_cert.pem -outform der | \ -// openssl dgst -sha256 -binary | xxd -i -static const SHA256HashValue kTestRootCertHash = { - {0xb2, 0xab, 0xa3, 0xa5, 0xd4, 0x11, 0x56, 0xcb, 0xb9, 0x23, 0x35, - 0x07, 0x6d, 0x0b, 0x51, 0xbe, 0xd3, 0xee, 0x2e, 0xab, 0xe7, 0xab, - 0x6b, 0xad, 0xcc, 0x2a, 0xfa, 0x35, 0xfb, 0x8e, 0x31, 0x5e}}; - -// SHA256 hash of the DER SPKI of the testserver root_ca_cert. -// openssl x509 -in root_ca_cert.pem -pubkey -noout | \ -// openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd -i -static const SHA256HashValue kTestRootCertSPKIHash = { - {0x57, 0x2a, 0x4f, 0xdd, 0x55, 0x8b, 0xec, 0xe6, 0xaa, 0x4c, 0x9e, - 0xe6, 0x20, 0x17, 0xa1, 0x59, 0x89, 0x6f, 0xf2, 0x48, 0x4f, 0xb8, - 0x51, 0xe9, 0x5a, 0x27, 0x9a, 0xad, 0x92, 0x36, 0x62, 0x32}}; - // The test EV policy OID used for generated certs. static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1"; @@ -10731,8 +10734,13 @@ class HTTPSOCSPTest : public HTTPSCertNetFetchingTest { void SetUp() override { HTTPSCertNetFetchingTest::SetUp(); + scoped_refptr root_cert = + ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); + ASSERT_TRUE(root_cert); + ev_test_policy_ = std::make_unique( - EVRootCAMetadata::GetInstance(), kTestRootCertHash, + EVRootCAMetadata::GetInstance(), + X509Certificate::CalculateFingerprint256(root_cert->cert_buffer()), kOCSPTestCertPolicy); } @@ -11562,8 +11570,10 @@ TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { EmbeddedTestServer::OCSPConfig::ResponseType::kInvalidResponse); CertVerifier::Config cert_verifier_config = GetCertVerifierConfig(); + SHA256HashValue root_cert_spki_hash; + ASSERT_TRUE(GetTestRootCertSPKIHash(&root_cert_spki_hash)); cert_verifier_config.crl_set = - CRLSet::ForTesting(false, &kTestRootCertSPKIHash, "", "", {}); + CRLSet::ForTesting(false, &root_cert_spki_hash, "", "", {}); context_.cert_verifier()->SetConfig(cert_verifier_config); CertStatus cert_status; @@ -11670,8 +11680,10 @@ TEST_F(HTTPSCRLSetTest, CRLSetRevoked) { ASSERT_TRUE(test_server.Start()); CertVerifier::Config cert_verifier_config = GetCertVerifierConfig(); + SHA256HashValue root_cert_spki_hash; + ASSERT_TRUE(GetTestRootCertSPKIHash(&root_cert_spki_hash)); cert_verifier_config.crl_set = - CRLSet::ForTesting(false, &kTestRootCertSPKIHash, + CRLSet::ForTesting(false, &root_cert_spki_hash, test_server.GetCertificate()->serial_number(), "", {}); context_.cert_verifier()->SetConfig(cert_verifier_config); @@ -11895,17 +11907,8 @@ TEST_F(HTTPSLocalCRLSetTest, InterceptionBlockedAllowOverrideOnHSTS) { // Configure for kHSTSSubdomainWithKnownInterception CertVerifyResult sts_sub_result = fake_result; - // Compute the root cert's hash on the fly, to avoid hardcoding it within - // tests. - scoped_refptr root_cert = - ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); - ASSERT_TRUE(root_cert); - base::StringPiece root_spki; - ASSERT_TRUE(asn1::ExtractSPKIFromDERCert( - x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()), - &root_spki)); SHA256HashValue root_hash; - crypto::SHA256HashString(root_spki, &root_hash, sizeof(root_hash)); + ASSERT_TRUE(GetTestRootCertSPKIHash(&root_hash)); sts_sub_result.public_key_hashes.push_back(HashValue(root_hash)); sts_sub_result.cert_status |= CERT_STATUS_REVOKED | CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED;