| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/security_state_model.h" | 5 #include "chrome/browser/ssl/security_state_model.h" |
| 6 | 6 |
| 7 #include "chrome/test/base/chrome_render_view_host_test_harness.h" | 7 #include "chrome/test/base/chrome_render_view_host_test_harness.h" |
| 8 #include "chrome/test/base/testing_profile.h" | 8 #include "chrome/test/base/testing_profile.h" |
| 9 #include "content/public/browser/cert_store.h" | 9 #include "content/public/browser/cert_store.h" |
| 10 #include "content/public/test/mock_render_process_host.h" | 10 #include "content/public/test/mock_render_process_host.h" |
| 11 #include "content/public/test/test_browser_thread_bundle.h" | 11 #include "content/public/test/test_browser_thread_bundle.h" |
| 12 #include "net/base/test_data_directory.h" | 12 #include "net/base/test_data_directory.h" |
| 13 #include "net/cert/x509_certificate.h" | 13 #include "net/cert/x509_certificate.h" |
| 14 #include "net/ssl/ssl_connection_status_flags.h" | 14 #include "net/ssl/ssl_connection_status_flags.h" |
| 15 #include "net/test/cert_test_util.h" | 15 #include "net/test/cert_test_util.h" |
| 16 #include "net/test/test_certificate_data.h" | 16 #include "net/test/test_certificate_data.h" |
| 17 #include "testing/gtest/include/gtest/gtest.h" | 17 #include "testing/gtest/include/gtest/gtest.h" |
| 18 | 18 |
| 19 namespace { | 19 namespace { |
| 20 | 20 |
| 21 const char kUrl[] = "https://foo.test"; | 21 const char kUrl[] = "https://foo.test"; |
| 22 | 22 |
| 23 void GetTestSSLStatus(int process_id, content::SSLStatus* ssl_status) { | 23 void GetTestSSLStatus(int process_id, |
| 24 scoped_refptr<net::X509Certificate>* cert, |
| 25 content::SSLStatus* ssl_status) { |
| 24 content::CertStore* cert_store = content::CertStore::GetInstance(); | 26 content::CertStore* cert_store = content::CertStore::GetInstance(); |
| 25 const scoped_refptr<net::X509Certificate>& cert = | 27 *cert = |
| 26 net::ImportCertFromFile(net::GetTestCertsDirectory(), "sha1_2016.pem"); | 28 net::ImportCertFromFile(net::GetTestCertsDirectory(), "sha1_2016.pem"); |
| 27 ASSERT_TRUE(cert); | 29 ASSERT_TRUE(*cert); |
| 28 ssl_status->cert_id = cert_store->StoreCert(cert.get(), process_id); | 30 ssl_status->cert_id = cert_store->StoreCert(cert->get(), process_id); |
| 29 EXPECT_GT(ssl_status->cert_id, 0); | 31 EXPECT_GT(ssl_status->cert_id, 0); |
| 30 ssl_status->cert_status = net::CERT_STATUS_SHA1_SIGNATURE_PRESENT; | 32 ssl_status->cert_status = net::CERT_STATUS_SHA1_SIGNATURE_PRESENT; |
| 31 ssl_status->security_bits = 256; | 33 ssl_status->security_bits = 256; |
| 32 ssl_status->connection_status = net::SSL_CONNECTION_VERSION_TLS1_2 | 34 ssl_status->connection_status = net::SSL_CONNECTION_VERSION_TLS1_2 |
| 33 << net::SSL_CONNECTION_VERSION_SHIFT; | 35 << net::SSL_CONNECTION_VERSION_SHIFT; |
| 34 } | 36 } |
| 35 | 37 |
| 36 class SecurityStateModelTest : public ChromeRenderViewHostTestHarness {}; | 38 class SecurityStateModelTest : public ChromeRenderViewHostTestHarness {}; |
| 37 | 39 |
| 38 // Tests that SHA1-signed certificates expiring in 2016 downgrade the | 40 // Tests that SHA1-signed certificates expiring in 2016 downgrade the |
| 39 // security state of the page. | 41 // security state of the page. |
| 40 TEST_F(SecurityStateModelTest, SHA1Warning) { | 42 TEST_F(SecurityStateModelTest, SHA1Warning) { |
| 41 GURL url(kUrl); | 43 GURL url(kUrl); |
| 42 Profile* test_profile = profile(); | 44 Profile* test_profile = profile(); |
| 43 SecurityStateModel::SecurityInfo security_info; | 45 SecurityStateModel::SecurityInfo security_info; |
| 44 content::SSLStatus ssl_status; | 46 content::SSLStatus ssl_status; |
| 45 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 47 scoped_refptr<net::X509Certificate> cert; |
| 48 ASSERT_NO_FATAL_FAILURE( |
| 49 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 46 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 50 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 47 &security_info); | 51 cert, false, &security_info); |
| 48 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, | 52 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, |
| 49 security_info.sha1_deprecation_status); | 53 security_info.sha1_deprecation_status); |
| 50 EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level); | 54 EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level); |
| 51 } | 55 } |
| 52 | 56 |
| 53 // Tests that SHA1 warnings don't interfere with the handling of mixed | 57 // Tests that SHA1 warnings don't interfere with the handling of mixed |
| 54 // content. | 58 // content. |
| 55 TEST_F(SecurityStateModelTest, SHA1WarningMixedContent) { | 59 TEST_F(SecurityStateModelTest, SHA1WarningMixedContent) { |
| 56 GURL url(kUrl); | 60 GURL url(kUrl); |
| 57 Profile* test_profile = profile(); | 61 Profile* test_profile = profile(); |
| 58 SecurityStateModel::SecurityInfo security_info; | 62 SecurityStateModel::SecurityInfo security_info; |
| 59 content::SSLStatus ssl_status; | 63 content::SSLStatus ssl_status; |
| 60 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 64 scoped_refptr<net::X509Certificate> cert; |
| 65 ASSERT_NO_FATAL_FAILURE( |
| 66 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 61 ssl_status.content_status = content::SSLStatus::DISPLAYED_INSECURE_CONTENT; | 67 ssl_status.content_status = content::SSLStatus::DISPLAYED_INSECURE_CONTENT; |
| 62 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 68 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 63 &security_info); | 69 cert, false, &security_info); |
| 64 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, | 70 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, |
| 65 security_info.sha1_deprecation_status); | 71 security_info.sha1_deprecation_status); |
| 66 EXPECT_EQ(SecurityStateModel::DISPLAYED_MIXED_CONTENT, | 72 EXPECT_EQ(SecurityStateModel::DISPLAYED_MIXED_CONTENT, |
| 67 security_info.mixed_content_status); | 73 security_info.mixed_content_status); |
| 68 EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level); | 74 EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level); |
| 69 | 75 |
| 70 ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | 76 ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; |
| 71 ssl_status.content_status = content::SSLStatus::RAN_INSECURE_CONTENT; | 77 ssl_status.content_status = content::SSLStatus::RAN_INSECURE_CONTENT; |
| 72 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 78 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 73 &security_info); | 79 cert, false, &security_info); |
| 74 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, | 80 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, |
| 75 security_info.sha1_deprecation_status); | 81 security_info.sha1_deprecation_status); |
| 76 EXPECT_EQ(SecurityStateModel::RAN_MIXED_CONTENT, | 82 EXPECT_EQ(SecurityStateModel::RAN_MIXED_CONTENT, |
| 77 security_info.mixed_content_status); | 83 security_info.mixed_content_status); |
| 78 EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level); | 84 EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level); |
| 79 } | 85 } |
| 80 | 86 |
| 81 // Tests that SHA1 warnings don't interfere with the handling of major | 87 // Tests that SHA1 warnings don't interfere with the handling of major |
| 82 // cert errors. | 88 // cert errors. |
| 83 TEST_F(SecurityStateModelTest, SHA1WarningBrokenHTTPS) { | 89 TEST_F(SecurityStateModelTest, SHA1WarningBrokenHTTPS) { |
| 84 GURL url(kUrl); | 90 GURL url(kUrl); |
| 85 Profile* test_profile = profile(); | 91 Profile* test_profile = profile(); |
| 86 SecurityStateModel::SecurityInfo security_info; | 92 SecurityStateModel::SecurityInfo security_info; |
| 87 content::SSLStatus ssl_status; | 93 content::SSLStatus ssl_status; |
| 88 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 94 scoped_refptr<net::X509Certificate> cert; |
| 95 ASSERT_NO_FATAL_FAILURE( |
| 96 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 89 ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | 97 ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN; |
| 90 ssl_status.cert_status |= net::CERT_STATUS_DATE_INVALID; | 98 ssl_status.cert_status |= net::CERT_STATUS_DATE_INVALID; |
| 91 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 99 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 92 &security_info); | 100 cert, false, &security_info); |
| 93 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, | 101 EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_MINOR, |
| 94 security_info.sha1_deprecation_status); | 102 security_info.sha1_deprecation_status); |
| 95 EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level); | 103 EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level); |
| 96 } | 104 } |
| 97 | 105 |
| 98 // Tests that |security_info.is_secure_protocol_and_ciphersuite| is | 106 // Tests that |security_info.is_secure_protocol_and_ciphersuite| is |
| 99 // computed correctly. | 107 // computed correctly. |
| 100 TEST_F(SecurityStateModelTest, SecureProtocolAndCiphersuite) { | 108 TEST_F(SecurityStateModelTest, SecureProtocolAndCiphersuite) { |
| 101 GURL url(kUrl); | 109 GURL url(kUrl); |
| 102 Profile* test_profile = profile(); | 110 Profile* test_profile = profile(); |
| 103 SecurityStateModel::SecurityInfo security_info; | 111 SecurityStateModel::SecurityInfo security_info; |
| 104 content::SSLStatus ssl_status; | 112 content::SSLStatus ssl_status; |
| 105 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 113 scoped_refptr<net::X509Certificate> cert; |
| 114 ASSERT_NO_FATAL_FAILURE( |
| 115 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 106 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from | 116 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from |
| 107 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 | 117 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 |
| 108 const uint16 ciphersuite = 0xc02f; | 118 const uint16 ciphersuite = 0xc02f; |
| 109 ssl_status.connection_status = | 119 ssl_status.connection_status = |
| 110 (net::SSL_CONNECTION_VERSION_TLS1_2 << net::SSL_CONNECTION_VERSION_SHIFT); | 120 (net::SSL_CONNECTION_VERSION_TLS1_2 << net::SSL_CONNECTION_VERSION_SHIFT); |
| 111 net::SSLConnectionStatusSetCipherSuite(ciphersuite, | 121 net::SSLConnectionStatusSetCipherSuite(ciphersuite, |
| 112 &ssl_status.connection_status); | 122 &ssl_status.connection_status); |
| 113 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 123 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 114 &security_info); | 124 cert, false, &security_info); |
| 115 EXPECT_TRUE(security_info.is_secure_protocol_and_ciphersuite); | 125 EXPECT_TRUE(security_info.is_secure_protocol_and_ciphersuite); |
| 116 } | 126 } |
| 117 | 127 |
| 118 TEST_F(SecurityStateModelTest, NonsecureProtocol) { | 128 TEST_F(SecurityStateModelTest, NonsecureProtocol) { |
| 119 GURL url(kUrl); | 129 GURL url(kUrl); |
| 120 Profile* test_profile = profile(); | 130 Profile* test_profile = profile(); |
| 121 SecurityStateModel::SecurityInfo security_info; | 131 SecurityStateModel::SecurityInfo security_info; |
| 122 content::SSLStatus ssl_status; | 132 content::SSLStatus ssl_status; |
| 123 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 133 scoped_refptr<net::X509Certificate> cert; |
| 134 ASSERT_NO_FATAL_FAILURE( |
| 135 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 124 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from | 136 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from |
| 125 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 | 137 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 |
| 126 const uint16 ciphersuite = 0xc02f; | 138 const uint16 ciphersuite = 0xc02f; |
| 127 ssl_status.connection_status = | 139 ssl_status.connection_status = |
| 128 (net::SSL_CONNECTION_VERSION_TLS1_1 << net::SSL_CONNECTION_VERSION_SHIFT); | 140 (net::SSL_CONNECTION_VERSION_TLS1_1 << net::SSL_CONNECTION_VERSION_SHIFT); |
| 129 net::SSLConnectionStatusSetCipherSuite(ciphersuite, | 141 net::SSLConnectionStatusSetCipherSuite(ciphersuite, |
| 130 &ssl_status.connection_status); | 142 &ssl_status.connection_status); |
| 131 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 143 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 132 &security_info); | 144 cert, false, &security_info); |
| 133 EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite); | 145 EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite); |
| 134 } | 146 } |
| 135 | 147 |
| 136 TEST_F(SecurityStateModelTest, NonsecureCiphersuite) { | 148 TEST_F(SecurityStateModelTest, NonsecureCiphersuite) { |
| 137 GURL url(kUrl); | 149 GURL url(kUrl); |
| 138 Profile* test_profile = profile(); | 150 Profile* test_profile = profile(); |
| 139 SecurityStateModel::SecurityInfo security_info; | 151 SecurityStateModel::SecurityInfo security_info; |
| 140 content::SSLStatus ssl_status; | 152 content::SSLStatus ssl_status; |
| 141 ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status)); | 153 scoped_refptr<net::X509Certificate> cert; |
| 154 ASSERT_NO_FATAL_FAILURE( |
| 155 GetTestSSLStatus(process()->GetID(), &cert, &ssl_status)); |
| 142 // TLS_RSA_WITH_AES_128_CCM_8 from | 156 // TLS_RSA_WITH_AES_128_CCM_8 from |
| 143 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 | 157 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-param
eters-4 |
| 144 const uint16 ciphersuite = 0xc0a0; | 158 const uint16 ciphersuite = 0xc0a0; |
| 145 ssl_status.connection_status = | 159 ssl_status.connection_status = |
| 146 (net::SSL_CONNECTION_VERSION_TLS1_2 << net::SSL_CONNECTION_VERSION_SHIFT); | 160 (net::SSL_CONNECTION_VERSION_TLS1_2 << net::SSL_CONNECTION_VERSION_SHIFT); |
| 147 net::SSLConnectionStatusSetCipherSuite(ciphersuite, | 161 net::SSLConnectionStatusSetCipherSuite(ciphersuite, |
| 148 &ssl_status.connection_status); | 162 &ssl_status.connection_status); |
| 149 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, | 163 SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile, |
| 150 &security_info); | 164 cert, false, &security_info); |
| 151 EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite); | 165 EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite); |
| 152 } | 166 } |
| 153 | 167 |
| 154 } // namespace | 168 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1470813002:
Add SecurityStateModelClient interface and implementation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master