Set Token-Binding HTTP header

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <shlobj.h>
 #endif
 
 #include <stdint.h>
 
 #include <algorithm>
 
+#include "base/base64.h"
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/format_macros.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/memory/scoped_ptr.h"
@@ skipping 42 matching lines @@
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/log/net_log.h"
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
 #include "net/proxy/proxy_service.h"
 #include "net/socket/ssl_client_socket.h"
+#include "net/ssl/channel_id_service.h"
+#include "net/ssl/default_channel_id_store.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
+#include "net/ssl/token_binding.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
 #include "net/test/url_request/url_request_failed_job.h"
 #include "net/url_request/data_protocol_handler.h"
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_filter.h"
@@ skipping 3188 matching lines @@
   }
 
   LocalHttpTestServer* test_server() {
     return &test_server_;
   }
 
  protected:
   LocalHttpTestServer test_server_;
 };
 
+class TestSSLConfigService : public SSLConfigService {
+ public:
+  TestSSLConfigService(bool ev_enabled,
+                       bool online_rev_checking,
+                       bool rev_checking_required_local_anchors,
+                       bool token_binding_enabled)
+      : ev_enabled_(ev_enabled),
+        online_rev_checking_(online_rev_checking),
+        rev_checking_required_local_anchors_(
+            rev_checking_required_local_anchors),
+        min_version_(kDefaultSSLVersionMin),
+        fallback_min_version_(kDefaultSSLVersionFallbackMin),
+        token_binding_enabled_(token_binding_enabled) {}
+
+  void set_min_version(uint16 version) { min_version_ = version; }
+
+  void set_fallback_min_version(uint16 version) {
+    fallback_min_version_ = version;
+  }
+
+  // SSLConfigService:
+  void GetSSLConfig(SSLConfig* config) override {
+    *config = SSLConfig();
+    config->rev_checking_enabled = online_rev_checking_;
+    config->verify_ev_cert = ev_enabled_;
+    config->rev_checking_required_local_anchors =
+        rev_checking_required_local_anchors_;
+    if (fallback_min_version_) {
+      config->version_fallback_min = fallback_min_version_;
+    }
+    if (min_version_) {
+      config->version_min = min_version_;
+    }
+    if (token_binding_enabled_) {
+      config->token_binding_params.push_back(TB_PARAM_ECDSAP256);
+    }
+  }
+
+ protected:
+  ~TestSSLConfigService() override {}
+
+ private:
+  const bool ev_enabled_;
+  const bool online_rev_checking_;
+  const bool rev_checking_required_local_anchors_;
+  uint16 min_version_;
+  uint16 fallback_min_version_;
+  const bool token_binding_enabled_;
+};
+
+class TokenBindingURLRequestTest : public URLRequestTestHTTP {
+ public:
+  void SetUp() override {
+    default_context_.set_ssl_config_service(
+        new TestSSLConfigService(false, false, false, true));
+    channel_id_service_.reset(new ChannelIDService(
+        new DefaultChannelIDStore(NULL), base::ThreadTaskRunnerHandle::Get()));
+    default_context_.set_channel_id_service(channel_id_service_.get());
+    URLRequestTestHTTP::SetUp();
+  }
+
+ protected:
+  scoped_ptr<ChannelIDService> channel_id_service_;
+};
+
+TEST_F(TokenBindingURLRequestTest, TokenBindingTest) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.supported_token_binding_params.push_back(TB_PARAM_ECDSAP256);
+  SpawnedTestServer https_test_server(SpawnedTestServer::TYPE_HTTPS,
+                                      ssl_options,
+                                      base::FilePath(kTestFilePath));
+  ASSERT_TRUE(https_test_server.Start());
+
+  TestDelegate d;
+  {
+    scoped_ptr<URLRequest> r(default_context_.CreateRequest(
+        https_test_server.GetURL("tokbind-ekm"), DEFAULT_PRIORITY, &d));
+    r->Start();
+    EXPECT_TRUE(r->is_pending());
+
+    base::RunLoop().Run();
+
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r->status().status());
+
+    HttpRequestHeaders headers;
+    std::string token_binding_header, token_binding_message;
+    EXPECT_TRUE(r->GetFullRequestHeaders(&headers));
+    EXPECT_TRUE(headers.GetHeader(HttpRequestHeaders::kTokenBinding,
+                                  &token_binding_header));
+    base::ReplaceChars(token_binding_header, "_", "/", &token_binding_header);
+    base::ReplaceChars(token_binding_header, "-", "+", &token_binding_header);
+    EXPECT_TRUE(
+        base::Base64Decode(token_binding_header, &token_binding_message));
+    std::string ec_point, signature;
+    EXPECT_TRUE(
+        ParseTokenBindingMessage(token_binding_message, &ec_point, &signature));
+
+    EXPECT_GT(d.bytes_received(), 0);
+    std::string ekm = d.data_received();
+
+    EXPECT_TRUE(VerifyEKMSignature(ec_point, signature, ekm));
+  }
+}
+
 // In this unit test, we're using the HTTPTestServer as a proxy server and
 // issuing a CONNECT request with the magic host name "www.redirect.com".
 // The HTTPTestServer will return a 302 response, which we should not
 // follow.
 TEST_F(URLRequestTestHTTP, ProxyTunnelRedirectTest) {
   ASSERT_TRUE(test_server_.Start());
 
   TestNetworkDelegate network_delegate;  // Must outlive URLRequest.
   TestURLRequestContextWithProxy context(
       test_server_.host_port_pair().ToString(), &network_delegate);
@@ skipping 5116 matching lines @@
   for (size_t i = 0; i < lines.size(); i++) {
     int cipher_suite;
     ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite));
     EXPECT_FALSE(IsECDSACipherSuite(cipher_suite))
         << "ClientHello advertised " << cipher_suite;
   }
 }
 
 #endif  // OS_WIN
 
-class TestSSLConfigService : public SSLConfigService {
- public:
-  TestSSLConfigService(bool ev_enabled,
-                       bool online_rev_checking,
-                       bool rev_checking_required_local_anchors)
-      : ev_enabled_(ev_enabled),
-        online_rev_checking_(online_rev_checking),
-        rev_checking_required_local_anchors_(
-            rev_checking_required_local_anchors),
-        min_version_(kDefaultSSLVersionMin),
-        fallback_min_version_(kDefaultSSLVersionFallbackMin) {}
-
-  void set_min_version(uint16 version) {
-    min_version_ = version;
-  }
-
-  void set_fallback_min_version(uint16 version) {
-    fallback_min_version_ = version;
-  }
-
-  // SSLConfigService:
-  void GetSSLConfig(SSLConfig* config) override {
-    *config = SSLConfig();
-    config->rev_checking_enabled = online_rev_checking_;
-    config->verify_ev_cert = ev_enabled_;
-    config->rev_checking_required_local_anchors =
-        rev_checking_required_local_anchors_;
-    if (fallback_min_version_) {
-      config->version_fallback_min = fallback_min_version_;
-    }
-    if (min_version_) {
-      config->version_min = min_version_;
-    }
-  }
-
- protected:
-  ~TestSSLConfigService() override {}
-
- private:
-  const bool ev_enabled_;
-  const bool online_rev_checking_;
-  const bool rev_checking_required_local_anchors_;
-  uint16 min_version_;
-  uint16 fallback_min_version_;
-};
-
 class FallbackTestURLRequestContext : public TestURLRequestContext {
  public:
   explicit FallbackTestURLRequestContext(bool delay_initialization)
       : TestURLRequestContext(delay_initialization) {}
 
   void set_fallback_min_version(uint16 version) {
-    TestSSLConfigService *ssl_config_service =
-        new TestSSLConfigService(true /* check for EV */,
-                                 false /* online revocation checking */,
-                                 false /* require rev. checking for local
-                                          anchors */);
+    TestSSLConfigService* ssl_config_service = new TestSSLConfigService(
+        true /* check for EV */, false /* online revocation checking */,
+        false /* require rev. checking for local
+                                          anchors */,
+        false /* token binding enabled */);
     ssl_config_service->set_fallback_min_version(version);
     set_ssl_config_service(ssl_config_service);
   }
 };
 
 class HTTPSFallbackTest : public testing::Test {
  public:
   HTTPSFallbackTest() : context_(true) {}
   ~HTTPSFallbackTest() override {}
 
@@ skipping 354 matching lines @@
 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
     ShutdownNSSHttpIO();
 #endif
   }
 
  protected:
   // SetupContext configures the URLRequestContext that will be used for making
   // connetions to testserver. This can be overridden in test subclasses for
   // different behaviour.
   virtual void SetupContext(URLRequestContext* context) {
-    context->set_ssl_config_service(
-        new TestSSLConfigService(true /* check for EV */,
-                                 true /* online revocation checking */,
-                                 false /* require rev. checking for local
-                                          anchors */));
+    context->set_ssl_config_service(new TestSSLConfigService(
+        true /* check for EV */, true /* online revocation checking */,
+        false /* require rev. checking for local
+                                          anchors */,
+        false /* token binding enabled */));
   }
 
   scoped_ptr<ScopedTestRoot> test_root_;
   TestURLRequestContext context_;
   scoped_ptr<ScopedTestEVPolicy> ev_test_policy_;
 };
 
 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() {
 #if defined(OS_WIN)
   // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't
@@ skipping 170 matching lines @@
   DoConnection(ssl_options, &cert_status);
 
   EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSHardFailTest : public HTTPSOCSPTest {
  protected:
   void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(
-        new TestSSLConfigService(false /* check for EV */,
-                                 false /* online revocation checking */,
-                                 true /* require rev. checking for local
-                                         anchors */));
+    context->set_ssl_config_service(new TestSSLConfigService(
+        false /* check for EV */, false /* online revocation checking */,
+        true /* require rev. checking for local
+                                         anchors */,
+        false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
     return;
   }
 
   if (!SystemSupportsHardFailRevocationChecking()) {
@@ skipping 12 matching lines @@
   EXPECT_EQ(CERT_STATUS_REVOKED,
             cert_status & CERT_STATUS_REVOKED);
 
   // Without a positive OCSP response, we shouldn't show the EV status.
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSEVCRLSetTest : public HTTPSOCSPTest {
  protected:
   void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(
-        new TestSSLConfigService(true /* check for EV */,
-                                 false /* online revocation checking */,
-                                 false /* require rev. checking for local
-                                          anchors */));
+    context->set_ssl_config_service(new TestSSLConfigService(
+        true /* check for EV */, false /* online revocation checking */,
+        false /* require rev. checking for local
+                                          anchors */,
+        false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
     return;
   }
 
   SpawnedTestServer::SSLOptions ssl_options(
@@ skipping 160 matching lines @@
 
   EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
 
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSCRLSetTest : public HTTPSOCSPTest {
  protected:
   void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(
-        new TestSSLConfigService(false /* check for EV */,
-                                 false /* online revocation checking */,
-                                 false /* require rev. checking for local
-                                          anchors */));
+    context->set_ssl_config_service(new TestSSLConfigService(
+        false /* check for EV */, false /* online revocation checking */,
+        false /* require rev. checking for local
+                                          anchors */,
+        false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
   ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID;
   SSLConfigService::SetCRLSet(
       scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting()));
 
@@ skipping 409 matching lines @@
 
   req->Start();
   req->Cancel();
   job->DetachRequest();
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
   EXPECT_EQ(0, d.received_redirect_count());
 }
 
 }  // namespace net