test/cert_builder: Allow invalid URLs
Allow passing invalid URLs into the test CertBuilder for a wider range of possible test scenarios. At the moment the builder fails with "NOTREACHED hit" if the passed URL is not "is_valid()". Add a new method that explicitly accepts arbitrary strings to make it independent of the GURL implementation and use it to fix kcer_nss_fuzzer. Fixed: https://issues.chromium.org/382526735 Test: Run kcer_nss_fuzzer with the reproducer testcase from the bug Change-Id: Ic95108587a2723350524b3462c4fac2158168aee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6080375 Auto-Submit: Michael Ershov <miersh@google.com> Commit-Queue: Michael Ershov <miersh@google.com> Reviewed-by: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/main@{#1395834}
This commit is contained in:
Michael Ershov
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
3e97510353
commit
3a87375254
ash/components/kcer/kcer_nss
net
@ -291,10 +291,6 @@ inline std::vector<uint8_t> CertGenerator::GetBytes() {
|
||||
return data_provider_->ConsumeBytes<uint8_t>(length);
|
||||
}
|
||||
|
||||
inline GURL CertGenerator::GetGurl() {
|
||||
return GURL(data_provider_->ConsumeRandomLengthString());
|
||||
}
|
||||
|
||||
inline net::IPAddress CertGenerator::GetIpAddress() {
|
||||
bool use_ip4 = GetBool();
|
||||
if (use_ip4) {
|
||||
@ -417,13 +413,13 @@ void CertGenerator::GenerateCert() {
|
||||
excluded_dns_names);
|
||||
}
|
||||
if (GetBool()) {
|
||||
std::vector<GURL> ca_issuers_urls;
|
||||
std::vector<std::string> ca_issuers_urls;
|
||||
while (GetBool()) {
|
||||
ca_issuers_urls.push_back(GetGurl());
|
||||
ca_issuers_urls.push_back(GetString());
|
||||
}
|
||||
std::vector<GURL> ocsp_urls;
|
||||
std::vector<std::string> ocsp_urls;
|
||||
while (GetBool()) {
|
||||
ocsp_urls.push_back(GetGurl());
|
||||
ocsp_urls.push_back(GetString());
|
||||
}
|
||||
cert_builder_->SetCaIssuersAndOCSPUrls(ca_issuers_urls, ocsp_urls);
|
||||
}
|
||||
|
||||
@ -108,7 +108,8 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
|
||||
// Tests that if the certificate does not contain an AIA URL, no AIA fetch
|
||||
// occurs.
|
||||
TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) {
|
||||
leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/{}, /*ocsp_urls=*/{});
|
||||
leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/std::vector<GURL>(),
|
||||
/*ocsp_urls=*/std::vector<GURL>());
|
||||
TrustTestRoot();
|
||||
scoped_refptr<CertVerifyProcAndroid> proc =
|
||||
base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_,
|
||||
|
||||
@ -513,12 +513,33 @@ void CertBuilder::SetCaIssuersUrl(const GURL& url) {
|
||||
void CertBuilder::SetCaIssuersAndOCSPUrls(
|
||||
const std::vector<GURL>& ca_issuers_urls,
|
||||
const std::vector<GURL>& ocsp_urls) {
|
||||
std::vector<std::pair<bssl::der::Input, GURL>> entries;
|
||||
for (const auto& url : ca_issuers_urls)
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdCaIssuersOid), url);
|
||||
for (const auto& url : ocsp_urls)
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdOcspOid), url);
|
||||
std::vector<std::pair<bssl::der::Input, std::string_view>> entries;
|
||||
for (const auto& url : ca_issuers_urls) {
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdCaIssuersOid),
|
||||
url.possibly_invalid_spec());
|
||||
}
|
||||
for (const auto& url : ocsp_urls) {
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdOcspOid),
|
||||
url.possibly_invalid_spec());
|
||||
}
|
||||
SetCaIssuersAndOCSPUrls(entries);
|
||||
}
|
||||
|
||||
void CertBuilder::SetCaIssuersAndOCSPUrls(
|
||||
const std::vector<std::string>& ca_issuers_urls,
|
||||
const std::vector<std::string>& ocsp_urls) {
|
||||
std::vector<std::pair<bssl::der::Input, std::string_view>> entries;
|
||||
for (const auto& url : ca_issuers_urls) {
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdCaIssuersOid), url);
|
||||
}
|
||||
for (const auto& url : ocsp_urls) {
|
||||
entries.emplace_back(bssl::der::Input(bssl::kAdOcspOid), url);
|
||||
}
|
||||
SetCaIssuersAndOCSPUrls(entries);
|
||||
}
|
||||
|
||||
void CertBuilder::SetCaIssuersAndOCSPUrls(
|
||||
const std::vector<std::pair<bssl::der::Input, std::string_view>>& entries) {
|
||||
if (entries.empty()) {
|
||||
EraseExtension(bssl::der::Input(bssl::kAuthorityInfoAccessOid));
|
||||
return;
|
||||
@ -545,7 +566,7 @@ void CertBuilder::SetCaIssuersAndOCSPUrls(
|
||||
ASSERT_TRUE(CBBAddBytes(&access_method, entry.first.AsStringView()));
|
||||
ASSERT_TRUE(CBB_add_asn1(&access_description, &access_location,
|
||||
CBS_ASN1_CONTEXT_SPECIFIC | 6));
|
||||
ASSERT_TRUE(CBBAddBytes(&access_location, entry.second.spec()));
|
||||
ASSERT_TRUE(CBBAddBytes(&access_location, entry.second));
|
||||
ASSERT_TRUE(CBB_flush(&aia));
|
||||
}
|
||||
|
||||
|
||||
@ -180,6 +180,10 @@ class CertBuilder {
|
||||
// removed.
|
||||
void SetCaIssuersAndOCSPUrls(const std::vector<GURL>& ca_issuers_urls,
|
||||
const std::vector<GURL>& ocsp_urls);
|
||||
// Same as |SetCaIssuersAndOCSPUrls| above, but the inputs can be arbitrary
|
||||
// strings.
|
||||
void SetCaIssuersAndOCSPUrls(const std::vector<std::string>& ca_issuers_urls,
|
||||
const std::vector<std::string>& ocsp_urls);
|
||||
|
||||
// Sets a cRLDistributionPoints extension with a single DistributionPoint
|
||||
// with |url| in distributionPoint.fullName.
|
||||
@ -411,6 +415,10 @@ class CertBuilder {
|
||||
|
||||
void GenerateCertificate();
|
||||
|
||||
void SetCaIssuersAndOCSPUrls(
|
||||
const std::vector<std::pair<bssl::der::Input, std::string_view>>&
|
||||
entries);
|
||||
|
||||
struct ExtensionValue {
|
||||
bool critical = false;
|
||||
std::string value;
|
||||
|
||||
Reference in New Issue
Block a user