Chromium Code Reviews Chromium Code Reviews
Issue 9584041:
Create stubs for system certificate validation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| 11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 12 #include "base/message_loop.h" | |
| 12 #include "base/sha1.h" | 13 #include "base/sha1.h" |
| 13 #include "base/string_piece.h" | 14 #include "base/string_piece.h" |
| 14 #include "net/base/asn1_util.h" | 15 #include "net/base/asn1_util.h" |
| 15 #include "net/base/cert_test_util.h" | 16 #include "net/base/cert_test_util.h" |
| 16 #include "net/base/cert_verifier.h" | 17 #include "net/base/cert_verifier.h" |
| 17 #include "net/base/cert_verify_result.h" | 18 #include "net/base/cert_verify_result.h" |
| 19 #include "net/base/net_errors.h" | |
| 20 #include "net/base/net_log.h" | |
| 18 #include "net/base/ssl_info.h" | 21 #include "net/base/ssl_info.h" |
| 19 #include "net/base/test_root_certs.h" | 22 #include "net/base/test_root_certs.h" |
| 23 #include "net/base/test_completion_callback.h" | |
|
wtc
2012/03/06 23:10:14
Nit: ordering is wrong.
| |
| 20 #include "net/base/x509_certificate.h" | 24 #include "net/base/x509_certificate.h" |
| 21 #include "net/http/http_util.h" | 25 #include "net/http/http_util.h" |
| 22 #include "testing/gtest/include/gtest/gtest.h" | 26 #include "testing/gtest/include/gtest/gtest.h" |
| 23 | 27 |
| 24 #if defined(USE_OPENSSL) | 28 #if defined(USE_OPENSSL) |
| 25 #include "crypto/openssl_util.h" | 29 #include "crypto/openssl_util.h" |
| 26 #else | 30 #else |
| 27 #include "crypto/nss_util.h" | 31 #include "crypto/nss_util.h" |
| 28 #endif | 32 #endif |
| 29 | 33 |
| (...skipping 250 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 280 | 284 |
| 281 // Add the root that signed the intermediate for this test. | 285 // Add the root that signed the intermediate for this test. |
| 282 scoped_refptr<X509Certificate> root_cert = | 286 scoped_refptr<X509Certificate> root_cert = |
| 283 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | 287 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); |
| 284 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | 288 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 285 TestRootCerts::GetInstance()->Add(root_cert.get()); | 289 TestRootCerts::GetInstance()->Add(root_cert.get()); |
| 286 | 290 |
| 287 // Verify has the side-effect of populating public_key_hashes, which | 291 // Verify has the side-effect of populating public_key_hashes, which |
| 288 // ParsePinsHeader needs. (It wants to check pins against the validated | 292 // ParsePinsHeader needs. (It wants to check pins against the validated |
| 289 // chain, not just the presented chain.) | 293 // chain, not just the presented chain.) |
| 294 int rv = ERR_FAILED; | |
| 290 CertVerifyResult result; | 295 CertVerifyResult result; |
| 291 int rv = ssl_info.cert->Verify("127.0.0.1", 0, NULL, &result); | 296 scoped_ptr<CertVerifier> verifier( |
| 292 ASSERT_EQ(0, rv); | 297 CertVerifier::CreateDefaultCertVerifier()); |
| 298 TestCompletionCallback callback; | |
| 299 CertVerifier::RequestHandle handle = NULL; | |
| 300 rv = verifier->Verify(ssl_info.cert, "127.0.0.1", 0, NULL, &result, | |
| 301 callback.callback(), &handle, BoundNetLog()); | |
| 302 if (rv == ERR_IO_PENDING) | |
| 303 rv = callback.WaitForResult(); | |
|
wtc
2012/03/06 23:10:14
Nit: there is a method (GetResult?) that is equiva
| |
| 304 ASSERT_EQ(OK, rv); | |
| 293 // Normally, ssl_client_socket_nss would do this, but for a unit test we | 305 // Normally, ssl_client_socket_nss would do this, but for a unit test we |
| 294 // fake it. | 306 // fake it. |
| 295 ssl_info.public_key_hashes = result.public_key_hashes; | 307 ssl_info.public_key_hashes = result.public_key_hashes; |
| 296 std::string good_pin = GetPinFromCert(ssl_info.cert); | 308 std::string good_pin = GetPinFromCert(ssl_info.cert); |
| 297 | 309 |
| 298 // The backup pin is fake --- we just need an SPKI hash that does not match | 310 // The backup pin is fake --- we just need an SPKI hash that does not match |
| 299 // the hash of any SPKI in the certificate chain. | 311 // the hash of any SPKI in the certificate chain. |
| 300 std::string backup_pin = "pin-sha1=" + | 312 std::string backup_pin = "pin-sha1=" + |
| 301 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); | 313 HttpUtil::Quote("6dcfXufJLW3J6S/9rRe4vUlBj5g="); |
| 302 | 314 |
| (...skipping 947 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1250 // Expect to fail for SNI hosts when not searching the SNI list: | 1262 // Expect to fail for SNI hosts when not searching the SNI list: |
| 1251 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1263 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1252 "gmail.com", false)); | 1264 "gmail.com", false)); |
| 1253 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1265 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1254 "googlegroups.com", false)); | 1266 "googlegroups.com", false)); |
| 1255 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 1267 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 1256 "www.googlegroups.com", false)); | 1268 "www.googlegroups.com", false)); |
| 1257 } | 1269 } |
| 1258 | 1270 |
| 1259 } // namespace net | 1271 } // namespace net |
| OLD | NEW |
