| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "ios/web/net/crw_cert_verification_controller.h" | 5 #include "ios/web/net/crw_cert_verification_controller.h" |
| 6 | 6 |
| 7 #include "base/mac/bind_objc_block.h" | 7 #include "base/mac/bind_objc_block.h" |
| 8 #include "base/message_loop/message_loop.h" | 8 #include "base/message_loop/message_loop.h" |
| 9 #include "base/test/ios/wait_util.h" | 9 #include "base/test/ios/wait_util.h" |
| 10 #include "ios/web/public/web_thread.h" | 10 #include "ios/web/public/web_thread.h" |
| 11 #include "ios/web/test/web_test.h" | 11 #include "ios/web/test/web_test.h" |
| 12 #import "ios/web/web_state/wk_web_view_security_util.h" |
| 12 #include "net/base/test_data_directory.h" | 13 #include "net/base/test_data_directory.h" |
| 13 #include "net/cert/mock_cert_verifier.h" | 14 #include "net/cert/mock_cert_verifier.h" |
| 14 #include "net/cert/x509_certificate.h" | 15 #include "net/cert/x509_certificate.h" |
| 15 #include "net/test/cert_test_util.h" | 16 #include "net/test/cert_test_util.h" |
| 16 #include "net/url_request/url_request_context.h" | 17 #include "net/url_request/url_request_context.h" |
| 17 #include "net/url_request/url_request_context_getter.h" | 18 #include "net/url_request/url_request_context_getter.h" |
| 18 | 19 |
| 19 namespace web { | 20 namespace web { |
| 20 | 21 |
| 21 namespace { | 22 namespace { |
| (...skipping 12 matching lines...) Expand all Loading... |
| 34 web::BrowserState* browser_state = GetBrowserState(); | 35 web::BrowserState* browser_state = GetBrowserState(); |
| 35 net::URLRequestContextGetter* getter = browser_state->GetRequestContext(); | 36 net::URLRequestContextGetter* getter = browser_state->GetRequestContext(); |
| 36 web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{ | 37 web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{ |
| 37 getter->GetURLRequestContext()->set_cert_verifier(&cert_verifier_); | 38 getter->GetURLRequestContext()->set_cert_verifier(&cert_verifier_); |
| 38 })); | 39 })); |
| 39 | 40 |
| 40 controller_.reset([[CRWCertVerificationController alloc] | 41 controller_.reset([[CRWCertVerificationController alloc] |
| 41 initWithBrowserState:browser_state]); | 42 initWithBrowserState:browser_state]); |
| 42 cert_ = | 43 cert_ = |
| 43 net::ImportCertFromFile(net::GetTestCertsDirectory(), kCertFileName); | 44 net::ImportCertFromFile(net::GetTestCertsDirectory(), kCertFileName); |
| 45 ASSERT_TRUE(cert_); |
| 46 |
| 47 NSArray* chain = GetChain(cert_); |
| 48 valid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); |
| 49 web::EnsureFutureTrustEvaluationSucceeds(valid_trust_.get()); |
| 50 invalid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); |
| 44 } | 51 } |
| 45 | 52 |
| 46 void TearDown() override { | 53 void TearDown() override { |
| 47 [controller_ shutDown]; | 54 [controller_ shutDown]; |
| 48 web::WebTest::TearDown(); | 55 web::WebTest::TearDown(); |
| 49 } | 56 } |
| 50 | 57 |
| 58 // Returns NSArray of SecCertificateRef objects for the given |cert|. |
| 59 NSArray* GetChain(const scoped_refptr<net::X509Certificate>& cert) const { |
| 60 NSMutableArray* result = [NSMutableArray |
| 61 arrayWithObject:static_cast<id>(cert->os_cert_handle())]; |
| 62 for (SecCertificateRef intermediate : cert->GetIntermediateCertificates()) { |
| 63 [result addObject:static_cast<id>(intermediate)]; |
| 64 } |
| 65 return result; |
| 66 } |
| 67 |
| 51 // Synchronously returns result of decidePolicyForCert:host:completionHandler: | 68 // Synchronously returns result of decidePolicyForCert:host:completionHandler: |
| 52 // call. | 69 // call. |
| 53 void DecidePolicy(const scoped_refptr<net::X509Certificate>& cert, | 70 void DecidePolicy(const scoped_refptr<net::X509Certificate>& cert, |
| 54 NSString* host, | 71 NSString* host, |
| 55 web::CertAcceptPolicy* policy, | 72 web::CertAcceptPolicy* policy, |
| 56 net::CertStatus* status) { | 73 net::CertStatus* status) { |
| 57 __block bool completion_handler_called = false; | 74 __block bool completion_handler_called = false; |
| 58 [controller_ decidePolicyForCert:cert | 75 [controller_ decidePolicyForCert:cert |
| 59 host:host | 76 host:host |
| 60 completionHandler:^(web::CertAcceptPolicy callback_policy, | 77 completionHandler:^(web::CertAcceptPolicy callback_policy, |
| 61 net::CertStatus callback_status) { | 78 net::CertStatus callback_status) { |
| 62 *policy = callback_policy; | 79 *policy = callback_policy; |
| 63 *status = callback_status; | 80 *status = callback_status; |
| 64 completion_handler_called = true; | 81 completion_handler_called = true; |
| 65 }]; | 82 }]; |
| 66 base::test::ios::WaitUntilCondition(^{ | 83 base::test::ios::WaitUntilCondition(^{ |
| 67 return completion_handler_called; | 84 return completion_handler_called; |
| 68 }, base::MessageLoop::current(), base::TimeDelta()); | 85 }, base::MessageLoop::current(), base::TimeDelta()); |
| 69 } | 86 } |
| 70 | 87 |
| 88 // Synchronously returns result of |
| 89 // querySSLStatusForTrust:host:completionHandler: call. |
| 90 void QueryStatus(const base::ScopedCFTypeRef<SecTrustRef>& trust, |
| 91 NSString* host, |
| 92 SecurityStyle* style, |
| 93 net::CertStatus* status) { |
| 94 __block bool completion_handler_called = false; |
| 95 [controller_ querySSLStatusForTrust:trust |
| 96 host:host |
| 97 completionHandler:^(SecurityStyle callback_style, |
| 98 net::CertStatus callback_status) { |
| 99 *style = callback_style; |
| 100 *status = callback_status; |
| 101 completion_handler_called = true; |
| 102 }]; |
| 103 base::test::ios::WaitUntilCondition(^{ |
| 104 return completion_handler_called; |
| 105 }, base::MessageLoop::current(), base::TimeDelta()); |
| 106 } |
| 107 |
| 71 scoped_refptr<net::X509Certificate> cert_; | 108 scoped_refptr<net::X509Certificate> cert_; |
| 109 base::ScopedCFTypeRef<SecTrustRef> valid_trust_; |
| 110 base::ScopedCFTypeRef<SecTrustRef> invalid_trust_; |
| 72 net::MockCertVerifier cert_verifier_; | 111 net::MockCertVerifier cert_verifier_; |
| 73 base::scoped_nsobject<CRWCertVerificationController> controller_; | 112 base::scoped_nsobject<CRWCertVerificationController> controller_; |
| 74 }; | 113 }; |
| 75 | 114 |
| 76 // Tests cert policy with a valid cert. | 115 // Tests cert policy with a valid cert. |
| 77 TEST_F(CRWCertVerificationControllerTest, ValidCert) { | 116 TEST_F(CRWCertVerificationControllerTest, PolicyForValidCert) { |
| 78 net::CertVerifyResult verify_result; | 117 net::CertVerifyResult verify_result; |
| 79 verify_result.cert_status = net::CERT_STATUS_NO_REVOCATION_MECHANISM; | 118 verify_result.cert_status = net::CERT_STATUS_NO_REVOCATION_MECHANISM; |
| 80 verify_result.verified_cert = cert_; | 119 verify_result.verified_cert = cert_; |
| 81 cert_verifier_.AddResultForCertAndHost(cert_.get(), [kHostName UTF8String], | 120 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, |
| 82 verify_result, net::OK); | 121 verify_result, net::OK); |
| 83 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 122 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 84 net::CertStatus status; | 123 net::CertStatus status; |
| 85 DecidePolicy(cert_, kHostName, &policy, &status); | 124 DecidePolicy(cert_, kHostName, &policy, &status); |
| 86 EXPECT_EQ(CERT_ACCEPT_POLICY_ALLOW, policy); | 125 EXPECT_EQ(CERT_ACCEPT_POLICY_ALLOW, policy); |
| 87 EXPECT_EQ(verify_result.cert_status, status); | 126 EXPECT_EQ(verify_result.cert_status, status); |
| 88 } | 127 } |
| 89 | 128 |
| 90 // Tests cert policy with an invalid cert. | 129 // Tests cert policy with an invalid cert. |
| 91 TEST_F(CRWCertVerificationControllerTest, InvalidCert) { | 130 TEST_F(CRWCertVerificationControllerTest, PolicyForInvalidCert) { |
| 92 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 131 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 93 net::CertStatus status; | 132 net::CertStatus status; |
| 94 DecidePolicy(cert_, kHostName, &policy, &status); | 133 DecidePolicy(cert_, kHostName, &policy, &status); |
| 95 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR, policy); | 134 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR, policy); |
| 96 } | 135 } |
| 97 | 136 |
| 98 // Tests cert policy with null cert. | 137 // Tests cert policy with null cert. |
| 99 TEST_F(CRWCertVerificationControllerTest, NullCert) { | 138 TEST_F(CRWCertVerificationControllerTest, PolicyForNullCert) { |
| 100 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 139 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 101 net::CertStatus status; | 140 net::CertStatus status; |
| 102 DecidePolicy(nullptr, kHostName, &policy, &status); | 141 DecidePolicy(nullptr, kHostName, &policy, &status); |
| 103 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); | 142 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); |
| 104 } | 143 } |
| 105 | 144 |
| 106 // Tests cert policy with null cert and null host. | 145 // Tests cert policy with null cert and null host. |
| 107 TEST_F(CRWCertVerificationControllerTest, NullHost) { | 146 TEST_F(CRWCertVerificationControllerTest, PolicyForNullHost) { |
| 108 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 147 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 109 net::CertStatus status; | 148 net::CertStatus status; |
| 110 DecidePolicy(cert_, nil, &policy, &status); | 149 DecidePolicy(cert_, nil, &policy, &status); |
| 111 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); | 150 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); |
| 112 } | 151 } |
| 113 | 152 |
| 153 // Tests SSL status with valid trust. |
| 154 TEST_F(CRWCertVerificationControllerTest, SSLStatusForValidTrust) { |
| 155 SecurityStyle style = SECURITY_STYLE_UNKNOWN; |
| 156 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; |
| 157 |
| 158 QueryStatus(valid_trust_, kHostName, &style, &status); |
| 159 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATED, style); |
| 160 EXPECT_FALSE(status); |
| 161 } |
| 162 |
| 163 // Tests SSL status with invalid host. |
| 164 TEST_F(CRWCertVerificationControllerTest, SSLStatusForInvalidHost) { |
| 165 net::CertVerifyResult result; |
| 166 result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID; |
| 167 result.verified_cert = cert_; |
| 168 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, |
| 169 result, |
| 170 net::ERR_CERT_COMMON_NAME_INVALID); |
| 171 |
| 172 SecurityStyle style = SECURITY_STYLE_UNKNOWN; |
| 173 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; |
| 174 |
| 175 QueryStatus(invalid_trust_, kHostName, &style, &status); |
| 176 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATION_BROKEN, style); |
| 177 EXPECT_EQ(status, net::CERT_STATUS_COMMON_NAME_INVALID); |
| 178 } |
| 179 |
| 180 // Tests SSL status with expired cert. |
| 181 TEST_F(CRWCertVerificationControllerTest, SSLStatusForExpiredTrust) { |
| 182 net::CertVerifyResult result; |
| 183 result.cert_status = net::CERT_STATUS_DATE_INVALID; |
| 184 result.verified_cert = cert_; |
| 185 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, |
| 186 result, net::ERR_CERT_DATE_INVALID); |
| 187 |
| 188 SecurityStyle style = SECURITY_STYLE_UNKNOWN; |
| 189 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; |
| 190 |
| 191 QueryStatus(invalid_trust_, kHostName, &style, &status); |
| 192 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATION_BROKEN, style); |
| 193 EXPECT_EQ(net::CERT_STATUS_DATE_INVALID, status); |
| 194 } |
| 195 |
| 114 } // namespace web | 196 } // namespace web |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1322193003:
WKWebView(iOS9): correctly update SSL status for current navigation item (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@reland_cert_verification