| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 1467 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1478 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; | 1478 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; |
| 1479 | 1479 |
| 1480 // This is the policy OID contained in the certificates that testserver | 1480 // This is the policy OID contained in the certificates that testserver |
| 1481 // generates. | 1481 // generates. |
| 1482 static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1"; | 1482 static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1"; |
| 1483 | 1483 |
| 1484 class HTTPSOCSPTest : public HTTPSRequestTest { | 1484 class HTTPSOCSPTest : public HTTPSRequestTest { |
| 1485 public: | 1485 public: |
| 1486 HTTPSOCSPTest() | 1486 HTTPSOCSPTest() |
| 1487 : context_(true), | 1487 : context_(true), |
| 1488 ev_test_policy_(EVRootCAMetadata::GetInstance(), | 1488 ev_test_policy_( |
| 1489 kOCSPTestCertFingerprint, | 1489 new ScopedTestEVPolicy(EVRootCAMetadata::GetInstance(), |
| 1490 kOCSPTestCertPolicy) { | 1490 kOCSPTestCertFingerprint, |
| 1491 kOCSPTestCertPolicy)) { |
| 1491 } | 1492 } |
| 1492 | 1493 |
| 1493 virtual void SetUp() OVERRIDE { | 1494 virtual void SetUp() OVERRIDE { |
| 1494 SetupContext(&context_); | 1495 SetupContext(&context_); |
| 1495 context_.Init(); | 1496 context_.Init(); |
| 1496 | 1497 |
| 1497 scoped_refptr<net::X509Certificate> root_cert = | 1498 scoped_refptr<net::X509Certificate> root_cert = |
| 1498 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); | 1499 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); |
| 1499 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert); | 1500 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 1500 test_root_.reset(new ScopedTestRoot(root_cert)); | 1501 test_root_.reset(new ScopedTestRoot(root_cert)); |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1533 // connetions to testserver. This can be overridden in test subclasses for | 1534 // connetions to testserver. This can be overridden in test subclasses for |
| 1534 // different behaviour. | 1535 // different behaviour. |
| 1535 virtual void SetupContext(URLRequestContext* context) { | 1536 virtual void SetupContext(URLRequestContext* context) { |
| 1536 context->set_ssl_config_service( | 1537 context->set_ssl_config_service( |
| 1537 new TestSSLConfigService(true /* check for EV */, | 1538 new TestSSLConfigService(true /* check for EV */, |
| 1538 true /* online revocation checking */)); | 1539 true /* online revocation checking */)); |
| 1539 } | 1540 } |
| 1540 | 1541 |
| 1541 scoped_ptr<ScopedTestRoot> test_root_; | 1542 scoped_ptr<ScopedTestRoot> test_root_; |
| 1542 TestURLRequestContext context_; | 1543 TestURLRequestContext context_; |
| 1543 ScopedTestEVPolicy ev_test_policy_; | 1544 scoped_ptr<ScopedTestEVPolicy> ev_test_policy_; |
| 1544 }; | 1545 }; |
| 1545 | 1546 |
| 1546 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { | 1547 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { |
| 1547 #if defined(OS_WIN) | 1548 #if defined(OS_WIN) |
| 1548 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't | 1549 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| 1549 // have that ability on other platforms. | 1550 // have that ability on other platforms. |
| 1550 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; | 1551 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| 1551 #else | 1552 #else |
| 1552 return 0; | 1553 return 0; |
| 1553 #endif | 1554 #endif |
| 1554 } | 1555 } |
| 1555 | 1556 |
| 1556 // SystemUsesChromiumEVMetadata returns true iff the current operating system | 1557 // SystemUsesChromiumEVMetadata returns true iff the current operating system |
| 1557 // uses Chromium's EV metadata (i.e. EVRootCAMetadata). If it does not, then | 1558 // uses Chromium's EV metadata (i.e. EVRootCAMetadata). If it does not, then |
| 1558 // several tests are effected because our testing EV certificate won't be | 1559 // several tests are effected because our testing EV certificate won't be |
| 1559 // recognised as EV. | 1560 // recognised as EV. |
| 1560 static bool SystemUsesChromiumEVMetadata() { | 1561 static bool SystemUsesChromiumEVMetadata() { |
| 1561 #if defined(USE_OPENSSL) | 1562 #if defined(USE_OPENSSL) |
| 1562 // http://crbug.com/117478 - OpenSSL does not support EV validation. | 1563 // http://crbug.com/117478 - OpenSSL does not support EV validation. |
| 1563 return false; | 1564 return false; |
| 1564 #elif defined(OS_MACOSX) | 1565 #elif defined(OS_MACOSX) |
| 1565 // On OS X, we use the system to tell us whether a certificate is EV or not | 1566 // On OS X, we use the system to tell us whether a certificate is EV or not |
| 1566 // and the system won't recognise our testing root. | 1567 // and the system won't recognise our testing root. |
| 1567 return false; | 1568 return false; |
| 1568 #else | 1569 #else |
| 1569 return true; | 1570 return true; |
| 1570 #endif | 1571 #endif |
| 1571 } | 1572 } |
| 1572 | 1573 |
| 1573 static bool | 1574 static bool SystemSupportsOCSP() { |
| 1574 SystemSupportsOCSP() { | |
| 1575 #if defined(USE_OPENSSL) | 1575 #if defined(USE_OPENSSL) |
| 1576 // http://crbug.com/117478 - OpenSSL does not support OCSP. | 1576 // http://crbug.com/117478 - OpenSSL does not support OCSP. |
| 1577 return false; | 1577 return false; |
| 1578 #elif defined(OS_WIN) | 1578 #elif defined(OS_WIN) |
| 1579 return base::win::GetVersion() >= base::win::VERSION_VISTA; | 1579 return base::win::GetVersion() >= base::win::VERSION_VISTA; |
| 1580 #elif defined(OS_ANDROID) | 1580 #elif defined(OS_ANDROID) |
| 1581 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 1581 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 1582 return false; | 1582 return false; |
| 1583 #else | 1583 #else |
| 1584 return true; | 1584 return true; |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1667 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; | 1667 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| 1668 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 1668 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 1669 | 1669 |
| 1670 CertStatus cert_status = 0; | 1670 CertStatus cert_status = 0; |
| 1671 DoConnection(https_options, &cert_status); | 1671 DoConnection(https_options, &cert_status); |
| 1672 | 1672 |
| 1673 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 1673 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 1674 cert_status & CERT_STATUS_ALL_ERRORS); | 1674 cert_status & CERT_STATUS_ALL_ERRORS); |
| 1675 | 1675 |
| 1676 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 1676 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 1677 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 1677 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 1678 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 1678 } | 1679 } |
| 1679 | 1680 |
| 1680 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndGoodOCSP) { | 1681 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndGoodOCSP) { |
| 1681 if (!SystemSupportsOCSP()) { | 1682 if (!SystemSupportsOCSP()) { |
| 1682 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 1683 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 1683 return; | 1684 return; |
| 1684 } | 1685 } |
| 1685 | 1686 |
| 1686 TestServer::HTTPSOptions https_options( | 1687 TestServer::HTTPSOptions https_options( |
| 1687 TestServer::HTTPSOptions::CERT_AUTO); | 1688 TestServer::HTTPSOptions::CERT_AUTO); |
| 1688 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_OK; | 1689 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_OK; |
| 1689 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 1690 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 1690 | 1691 |
| 1691 CertStatus cert_status; | 1692 CertStatus cert_status; |
| 1692 DoConnection(https_options, &cert_status); | 1693 DoConnection(https_options, &cert_status); |
| 1693 | 1694 |
| 1694 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 1695 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 1695 | 1696 |
| 1696 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 1697 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 1697 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); | 1698 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| 1698 | 1699 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 1699 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 1700 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 1700 } | 1701 } |
| 1701 | 1702 |
| 1702 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { | 1703 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { |
| 1703 if (!SystemSupportsOCSP()) { | 1704 if (!SystemSupportsOCSP()) { |
| 1704 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 1705 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 1705 return; | 1706 return; |
| 1706 } | 1707 } |
| 1707 | 1708 |
| 1708 TestServer::HTTPSOptions https_options( | 1709 TestServer::HTTPSOptions https_options( |
| 1709 TestServer::HTTPSOptions::CERT_AUTO); | 1710 TestServer::HTTPSOptions::CERT_AUTO); |
| 1710 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; | 1711 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| 1711 SSLConfigService::SetCRLSet( | 1712 SSLConfigService::SetCRLSet( |
| 1712 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 1713 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 1713 | 1714 |
| 1714 CertStatus cert_status; | 1715 CertStatus cert_status; |
| 1715 DoConnection(https_options, &cert_status); | 1716 DoConnection(https_options, &cert_status); |
| 1716 | 1717 |
| 1717 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 1718 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 1718 cert_status & CERT_STATUS_ALL_ERRORS); | 1719 cert_status & CERT_STATUS_ALL_ERRORS); |
| 1719 | 1720 |
| 1720 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 1721 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 1721 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 1722 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 1723 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 1722 } | 1724 } |
| 1723 | 1725 |
| 1724 TEST_F(HTTPSEVCRLSetTest, FreshCRLSet) { | 1726 TEST_F(HTTPSEVCRLSetTest, FreshCRLSet) { |
| 1725 TestServer::HTTPSOptions https_options( | 1727 TestServer::HTTPSOptions https_options( |
| 1726 TestServer::HTTPSOptions::CERT_AUTO); | 1728 TestServer::HTTPSOptions::CERT_AUTO); |
| 1727 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; | 1729 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| 1728 SSLConfigService::SetCRLSet( | 1730 SSLConfigService::SetCRLSet( |
| 1729 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 1731 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 1730 | 1732 |
| 1731 CertStatus cert_status = 0; | 1733 CertStatus cert_status = 0; |
| 1732 DoConnection(https_options, &cert_status); | 1734 DoConnection(https_options, &cert_status); |
| 1733 | 1735 |
| 1734 // With a valid, fresh CRLSet the bad OCSP response shouldn't matter because | 1736 // With a valid, fresh CRLSet the bad OCSP response shouldn't matter because |
| 1735 // we wont check it. | 1737 // we wont check it. |
| 1736 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 1738 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 1737 | 1739 |
| 1738 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 1740 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 1739 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); | 1741 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| 1740 | 1742 |
| 1741 EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 1743 EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 1742 } | 1744 } |
| 1743 | 1745 |
| 1746 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { |
| 1747 // Test that when EV verification is requested, but online revocation |
| 1748 // checking is disabled, and the leaf certificate is not in fact EV, that |
| 1749 // no revocation checking actually happens. |
| 1750 if (!SystemSupportsOCSP()) { |
| 1751 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 1752 return; |
| 1753 } |
| 1754 |
| 1755 // Unmark the certificate's OID as EV, which should disable revocation |
| 1756 // checking (as per the user preference) |
| 1757 ev_test_policy_.reset(); |
| 1758 |
| 1759 TestServer::HTTPSOptions https_options( |
| 1760 TestServer::HTTPSOptions::CERT_AUTO); |
| 1761 https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_REVOKED; |
| 1762 SSLConfigService::SetCRLSet( |
| 1763 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 1764 |
| 1765 CertStatus cert_status; |
| 1766 DoConnection(https_options, &cert_status); |
| 1767 |
| 1768 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 1769 |
| 1770 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 1771 EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 1772 } |
| 1773 |
| 1744 class HTTPSCRLSetTest : public HTTPSOCSPTest { | 1774 class HTTPSCRLSetTest : public HTTPSOCSPTest { |
| 1745 protected: | 1775 protected: |
| 1746 virtual void SetupContext(URLRequestContext* context) OVERRIDE { | 1776 virtual void SetupContext(URLRequestContext* context) OVERRIDE { |
| 1747 context->set_ssl_config_service( | 1777 context->set_ssl_config_service( |
| 1748 new TestSSLConfigService(false /* check for EV */, | 1778 new TestSSLConfigService(false /* check for EV */, |
| 1749 false /* online revocation checking */)); | 1779 false /* online revocation checking */)); |
| 1750 } | 1780 } |
| 1751 }; | 1781 }; |
| 1752 | 1782 |
| 1753 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { | 1783 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { |
| (...skipping 2874 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4628 req.SetExtraRequestHeaders(headers); | 4658 req.SetExtraRequestHeaders(headers); |
| 4629 req.Start(); | 4659 req.Start(); |
| 4630 MessageLoop::current()->Run(); | 4660 MessageLoop::current()->Run(); |
| 4631 // If the net tests are being run with ChromeFrame then we need to allow for | 4661 // If the net tests are being run with ChromeFrame then we need to allow for |
| 4632 // the 'chromeframe' suffix which is added to the user agent before the | 4662 // the 'chromeframe' suffix which is added to the user agent before the |
| 4633 // closing parentheses. | 4663 // closing parentheses. |
| 4634 EXPECT_TRUE(StartsWithASCII(d.data_received(), "Lynx (textmode", true)); | 4664 EXPECT_TRUE(StartsWithASCII(d.data_received(), "Lynx (textmode", true)); |
| 4635 } | 4665 } |
| 4636 | 4666 |
| 4637 } // namespace net | 4667 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10857020:
Do not perform online revocation checking when the user has explicitly disabled it, except for when… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src