Chromium Code Reviews Chromium Code Reviews
Issue 1216943003:
Use the CT policy enforcer for QUIC, if specified. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | |
| 6 | |
| 7 #include "base/memory/ref_counted.h" | |
| 8 #include "base/memory/scoped_ptr.h" | |
| 9 #include "net/base/net_errors.h" | |
| 10 #include "net/base/test_data_directory.h" | |
| 11 #include "net/cert/cert_policy_enforcer.h" | |
| 12 #include "net/cert/cert_status_flags.h" | |
| 13 #include "net/cert/cert_verifier.h" | |
| 14 #include "net/cert/mock_cert_verifier.h" | |
| 15 #include "net/cert/x509_certificate.h" | |
| 16 #include "net/http/transport_security_state.h" | |
| 17 #include "net/log/net_log.h" | |
| 18 #include "net/quic/crypto/proof_verifier.h" | |
| 19 #include "net/test/cert_test_util.h" | |
| 20 #include "testing/gtest/include/gtest/gtest.h" | |
| 21 | |
| 22 namespace net { | |
| 23 namespace test { | |
| 24 | |
| 25 namespace { | |
| 26 | |
| 27 // CertVerifier that will fail the test if it is ever called. | |
| 28 class FailsTestCertVerifier : public CertVerifier { | |
| 29 public: | |
| 30 FailsTestCertVerifier() {} | |
| 31 ~FailsTestCertVerifier() override {} | |
| 32 | |
| 33 // CertVerifier implementation | |
| 34 int Verify(X509Certificate* cert, | |
| 35 const std::string& hostname, | |
| 36 const std::string& ocsp_response, | |
| 37 int flags, | |
| 38 CRLSet* crl_set, | |
| 39 CertVerifyResult* verify_result, | |
| 40 const CompletionCallback& callback, | |
| 41 scoped_ptr<CertVerifier::Request>* out_req, | |
| 42 const BoundNetLog& net_log) override { | |
| 43 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; | |
| 44 return ERR_FAILED; | |
| 45 } | |
| 46 }; | |
| 47 | |
| 48 // CertPolicyEnforcer that will fail the test if it is ever called. | |
| 49 class FailsTestCertPolicyEnforcer : public CertPolicyEnforcer { | |
| 50 public: | |
| 51 FailsTestCertPolicyEnforcer() {} | |
| 52 ~FailsTestCertPolicyEnforcer() override {} | |
| 53 | |
| 54 bool DoesConformToCTEVPolicy(X509Certificate* cert, | |
| 55 const ct::EVCertsWhitelist* ev_whitelist, | |
| 56 const ct::CTVerifyResult& ct_result, | |
| 57 const BoundNetLog& net_log) override { | |
| 58 ADD_FAILURE() << "CertPolicyEnforcer::DoesConformToCTEVPolicy() should " | |
| 59 << "not be called"; | |
| 60 return false; | |
| 61 } | |
| 62 }; | |
| 63 | |
| 64 // CertPolicyEnforcer that can simulate whether or not a given certificate | |
| 65 // conforms to the CT/EV policy. | |
| 66 class MockCertPolicyEnforcer : public CertPolicyEnforcer { | |
| 67 public: | |
| 68 MockCertPolicyEnforcer(bool is_ev) : is_ev_(is_ev) {} | |
| 69 ~MockCertPolicyEnforcer() override {} | |
| 70 | |
| 71 bool DoesConformToCTEVPolicy(X509Certificate* cert, | |
| 72 const ct::EVCertsWhitelist* ev_whitelist, | |
| 73 const ct::CTVerifyResult& ct_result, | |
| 74 const BoundNetLog& net_log) override { | |
| 75 return is_ev_; | |
| 76 } | |
| 77 | |
| 78 private: | |
| 79 bool is_ev_; | |
| 80 }; | |
| 81 | |
| 82 class DummyProofVerifierCallback : public ProofVerifierCallback { | |
| 83 public: | |
| 84 DummyProofVerifierCallback() {} | |
| 85 ~DummyProofVerifierCallback() override {} | |
| 86 | |
| 87 void Run(bool ok, | |
| 88 const std::string& error_details, | |
| 89 scoped_ptr<ProofVerifyDetails>* details) override { | |
| 90 // Do nothing | |
| 91 } | |
| 92 }; | |
| 93 | |
| 94 scoped_refptr<X509Certificate> GetTestServerCertificate() { | |
| 95 static const char kTestCert[] = "quic_test.example.com.crt"; | |
| 96 return ImportCertFromFile(GetTestCertsDirectory(), kTestCert); | |
| 97 } | |
| 98 | |
| 99 void GetTestCertificates(std::vector<std::string>* certs) { | |
| 100 scoped_refptr<X509Certificate> cert = GetTestServerCertificate(); | |
| 101 ASSERT_TRUE(cert); | |
| 102 | |
| 103 std::string der_bytes; | |
| 104 ASSERT_TRUE( | |
| 105 X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes)); | |
| 106 | |
| 107 certs->clear(); | |
| 108 certs->push_back(der_bytes); | |
| 109 } | |
| 110 | |
| 111 std::string GetTestSignature() { | |
| 112 static const unsigned char kTestSignature[] = { | |
| 113 0x31, 0xd5, 0xfb, 0x40, 0x30, 0x75, 0xd2, 0x7d, 0x61, 0xf9, 0xd7, 0x54, | |
| 114 0x30, 0x06, 0xaf, 0x54, 0x0d, 0xb0, 0x0a, 0xda, 0x63, 0xca, 0x7e, 0x9e, | |
| 115 0xce, 0xba, 0x10, 0x05, 0x1b, 0xa6, 0x7f, 0xef, 0x2b, 0xa3, 0xff, 0x3c, | |
| 116 0xbb, 0x9a, 0xe4, 0xbf, 0xb8, 0x0c, 0xc1, 0xbd, 0xed, 0xc2, 0x90, 0x68, | |
| 117 0xeb, 0x45, 0x48, 0xea, 0x3c, 0x95, 0xf8, 0xa2, 0xb9, 0xe7, 0x62, 0x29, | |
| 118 0x00, 0xc3, 0x18, 0xb4, 0x16, 0x6f, 0x5e, 0xb0, 0xc1, 0x26, 0xc0, 0x4b, | |
| 119 0x84, 0xf5, 0x97, 0xfc, 0x17, 0xf9, 0x1c, 0x43, 0xb8, 0xf2, 0x3f, 0x38, | |
| 120 0x32, 0xad, 0x36, 0x52, 0x2c, 0x26, 0x92, 0x7a, 0xea, 0x2c, 0xa2, 0xf4, | |
| 121 0x28, 0x2f, 0x19, 0x4d, 0x1f, 0x11, 0x46, 0x82, 0xd0, 0xc4, 0x86, 0x56, | |
| 122 0x5c, 0x97, 0x9e, 0xc6, 0x37, 0x8e, 0xaf, 0x9d, 0x69, 0xe9, 0x4f, 0x5a, | |
| 123 0x6d, 0x70, 0x75, 0xc7, 0x41, 0x95, 0x68, 0x53, 0x94, 0xca, 0x31, 0x63, | |
| 124 0x61, 0x9f, 0xb8, 0x8c, 0x3b, 0x75, 0x36, 0x8b, 0x69, 0xa2, 0x35, 0xc0, | |
| 125 0x4b, 0x77, 0x55, 0x08, 0xc2, 0xb4, 0x56, 0xd2, 0x81, 0xce, 0x9e, 0x25, | |
| 126 0xdb, 0x50, 0x74, 0xb3, 0x8a, 0xd9, 0x20, 0x42, 0x3f, 0x85, 0x2d, 0xaa, | |
| 127 0xfd, 0x66, 0xfa, 0xd6, 0x95, 0x55, 0x6b, 0x63, 0x63, 0x04, 0xf8, 0x6c, | |
| 128 0x3e, 0x08, 0x22, 0x39, 0xb9, 0x9a, 0xe0, 0xd7, 0x01, 0xff, 0xeb, 0x8a, | |
| 129 0xb9, 0xe2, 0x34, 0xa5, 0xa0, 0x51, 0xe9, 0xbe, 0x15, 0x12, 0xbf, 0xbe, | |
| 130 0x64, 0x3d, 0x3f, 0x98, 0xce, 0xc1, 0xa6, 0x33, 0x32, 0xd3, 0x5c, 0xa8, | |
| 131 0x39, 0x93, 0xdc, 0x1c, 0xb9, 0xab, 0x3c, 0x80, 0x62, 0xb3, 0x76, 0x21, | |
| 132 0xdf, 0x47, 0x1e, 0xa9, 0x0e, 0x5e, 0x8a, 0xbe, 0x66, 0x5b, 0x7c, 0x21, | |
| 133 0xfa, 0x78, 0x2d, 0xd1, 0x1d, 0x5c, 0x35, 0x8a, 0x34, 0xb2, 0x1a, 0xc2, | |
| 134 0xc4, 0x4b, 0x53, 0x54, | |
|
Ryan Hamilton
2015/07/28 03:36:01
Can you comment on what this value is/where it cam
| |
| 135 }; | |
| 136 return std::string(reinterpret_cast<const char*>(kTestSignature), | |
| 137 sizeof(kTestSignature)); | |
| 138 } | |
| 139 | |
| 140 const char kTestHostname[] = "test.example.com"; | |
| 141 const char kTestConfig[] = "server config bytes"; | |
| 142 | |
| 143 } // namespace | |
| 144 | |
| 145 // Tests that the ProofVerifier fails verification if certificate | |
| 146 // verification fails. | |
| 147 TEST(ProofVerifierChromiumTest, FailsIfCertFails) { | |
| 148 MockCertVerifier dummy_verifier; | |
| 149 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr); | |
| 150 | |
| 151 scoped_ptr<ProofVerifyContext> verify_context( | |
| 152 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 153 scoped_ptr<ProofVerifyDetails> details; | |
| 154 std::string error_details; | |
| 155 | |
| 156 std::vector<std::string> certs; | |
| 157 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 158 | |
| 159 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 160 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 161 kTestHostname, kTestConfig, certs, GetTestSignature(), | |
| 162 verify_context.get(), &error_details, &details, callback); | |
| 163 ASSERT_EQ(QUIC_FAILURE, status); | |
| 164 delete callback; | |
| 165 } | |
| 166 | |
| 167 // Tests that the ProofVerifier doesn't verify certificates if the config | |
| 168 // signature fails. | |
| 169 TEST(ProofVerifierChromiumTest, FailsIfSignatureFails) { | |
| 170 FailsTestCertVerifier cert_verifier; | |
| 171 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr); | |
| 172 | |
| 173 scoped_ptr<ProofVerifyContext> verify_context( | |
| 174 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 175 scoped_ptr<ProofVerifyDetails> details; | |
| 176 std::string error_details; | |
| 177 | |
| 178 std::vector<std::string> certs; | |
| 179 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 180 | |
| 181 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 182 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 183 kTestHostname, kTestConfig, certs, kTestConfig, verify_context.get(), | |
| 184 &error_details, &details, callback); | |
| 185 ASSERT_EQ(QUIC_FAILURE, status); | |
| 186 delete callback; | |
| 187 } | |
| 188 | |
| 189 // Tests that EV certificates are left as EV if there is no certificate | |
| 190 // policy enforcement. | |
| 191 TEST(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) { | |
| 192 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 193 ASSERT_TRUE(test_cert); | |
| 194 | |
| 195 CertVerifyResult dummy_result; | |
| 196 dummy_result.verified_cert = test_cert; | |
| 197 dummy_result.cert_status = CERT_STATUS_IS_EV; | |
| 198 | |
| 199 MockCertVerifier dummy_verifier; | |
| 200 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 201 | |
| 202 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr); | |
| 203 | |
| 204 scoped_ptr<ProofVerifyContext> verify_context( | |
| 205 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 206 scoped_ptr<ProofVerifyDetails> details; | |
| 207 std::string error_details; | |
| 208 | |
| 209 std::vector<std::string> certs; | |
| 210 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 211 | |
| 212 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 213 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 214 kTestHostname, kTestConfig, certs, GetTestSignature(), | |
| 215 verify_context.get(), &error_details, &details, callback); | |
| 216 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 217 delete callback; | |
| 218 | |
| 219 ASSERT_TRUE(details.get()); | |
| 220 ProofVerifyDetailsChromium* verify_details = | |
| 221 static_cast<ProofVerifyDetailsChromium*>(details.get()); | |
| 222 EXPECT_EQ(dummy_result.cert_status, | |
| 223 verify_details->cert_verify_result.cert_status); | |
| 224 } | |
| 225 | |
| 226 // Tests that the certificate policy enforcer is consulted for EV | |
| 227 // and the certificate is allowed to be EV. | |
| 228 TEST(ProofVerifierChromiumTest, PreservesEVIfAllowed) { | |
| 229 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 230 ASSERT_TRUE(test_cert); | |
| 231 | |
| 232 CertVerifyResult dummy_result; | |
| 233 dummy_result.verified_cert = test_cert; | |
| 234 dummy_result.cert_status = CERT_STATUS_IS_EV; | |
| 235 | |
| 236 MockCertVerifier dummy_verifier; | |
| 237 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 238 | |
| 239 MockCertPolicyEnforcer policy_enforcer(true /*is_ev*/); | |
| 240 | |
| 241 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | |
| 242 nullptr); | |
| 243 | |
| 244 scoped_ptr<ProofVerifyContext> verify_context( | |
| 245 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 246 scoped_ptr<ProofVerifyDetails> details; | |
| 247 std::string error_details; | |
| 248 | |
| 249 std::vector<std::string> certs; | |
| 250 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 251 | |
| 252 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 253 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 254 kTestHostname, kTestConfig, certs, GetTestSignature(), | |
| 255 verify_context.get(), &error_details, &details, callback); | |
| 256 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 257 delete callback; | |
| 258 | |
| 259 ASSERT_TRUE(details.get()); | |
| 260 ProofVerifyDetailsChromium* verify_details = | |
| 261 static_cast<ProofVerifyDetailsChromium*>(details.get()); | |
| 262 EXPECT_EQ(dummy_result.cert_status, | |
| 263 verify_details->cert_verify_result.cert_status); | |
| 264 } | |
| 265 | |
| 266 // Tests that the certificate policy enforcer is consulted for EV | |
| 267 // and the certificate is not allowed to be EV. | |
| 268 TEST(ProofVerifierChromiumTest, StripsEVIfNotAllowed) { | |
| 269 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 270 ASSERT_TRUE(test_cert); | |
| 271 | |
| 272 CertVerifyResult dummy_result; | |
| 273 dummy_result.verified_cert = test_cert; | |
| 274 dummy_result.cert_status = CERT_STATUS_IS_EV; | |
| 275 | |
| 276 MockCertVerifier dummy_verifier; | |
| 277 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 278 | |
| 279 MockCertPolicyEnforcer policy_enforcer(false /*is_ev*/); | |
| 280 | |
| 281 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | |
| 282 nullptr); | |
| 283 | |
| 284 scoped_ptr<ProofVerifyContext> verify_context( | |
| 285 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 286 scoped_ptr<ProofVerifyDetails> details; | |
| 287 std::string error_details; | |
| 288 | |
| 289 std::vector<std::string> certs; | |
| 290 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 291 | |
| 292 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 293 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 294 kTestHostname, kTestConfig, certs, GetTestSignature(), | |
| 295 verify_context.get(), &error_details, &details, callback); | |
| 296 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 297 delete callback; | |
| 298 | |
| 299 ASSERT_TRUE(details.get()); | |
| 300 ProofVerifyDetailsChromium* verify_details = | |
| 301 static_cast<ProofVerifyDetailsChromium*>(details.get()); | |
| 302 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
| 303 } | |
| 304 | |
| 305 // Tests that the certificate policy enforcer is not consulted if | |
| 306 // the certificate is not EV. | |
| 307 TEST(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { | |
| 308 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 309 ASSERT_TRUE(test_cert); | |
| 310 | |
| 311 CertVerifyResult dummy_result; | |
| 312 dummy_result.verified_cert = test_cert; | |
| 313 dummy_result.cert_status = 0; | |
| 314 | |
| 315 MockCertVerifier dummy_verifier; | |
| 316 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 317 | |
| 318 FailsTestCertPolicyEnforcer policy_enforcer; | |
| 319 | |
| 320 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | |
| 321 nullptr); | |
| 322 | |
| 323 scoped_ptr<ProofVerifyContext> verify_context( | |
| 324 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())); | |
| 325 scoped_ptr<ProofVerifyDetails> details; | |
| 326 std::string error_details; | |
| 327 | |
| 328 std::vector<std::string> certs; | |
| 329 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs)); | |
| 330 | |
| 331 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback; | |
| 332 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 333 kTestHostname, kTestConfig, certs, GetTestSignature(), | |
| 334 verify_context.get(), &error_details, &details, callback); | |
| 335 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 336 delete callback; | |
| 337 | |
| 338 ASSERT_TRUE(details.get()); | |
| 339 ProofVerifyDetailsChromium* verify_details = | |
| 340 static_cast<ProofVerifyDetailsChromium*>(details.get()); | |
| 341 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
| 342 } | |
| 343 | |
| 344 } // namespace test | |
| 345 } // namespace net | |
| OLD | NEW |
