Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(212)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/quic/crypto/proof_verifier_chromium_test.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix browser tests, kinda hacky :( Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ct_policy_enforcer.cc ('K') | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/quic/crypto/proof_verifier_chromium.h" 5 #include "net/quic/crypto/proof_verifier_chromium.h"
6 6
7 #include "base/memory/ref_counted.h" 7 #include "base/memory/ref_counted.h"
8 #include "base/memory/scoped_ptr.h" 8 #include "base/memory/scoped_ptr.h"
9 #include "net/base/net_errors.h" 9 #include "net/base/net_errors.h"
10 #include "net/base/test_data_directory.h" 10 #include "net/base/test_data_directory.h"
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
43 CRLSet* crl_set, 43 CRLSet* crl_set,
44 CertVerifyResult* verify_result, 44 CertVerifyResult* verify_result,
45 const CompletionCallback& callback, 45 const CompletionCallback& callback,
46 scoped_ptr<CertVerifier::Request>* out_req, 46 scoped_ptr<CertVerifier::Request>* out_req,
47 const BoundNetLog& net_log) override { 47 const BoundNetLog& net_log) override {
48 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; 48 ADD_FAILURE() << "CertVerifier::Verify() should not be called";
49 return ERR_FAILED; 49 return ERR_FAILED;
50 } 50 }
51 }; 51 };
52 52
53 // CTPolicyEnforcer that will fail the test if it is ever called.
54 class FailsTestCTPolicyEnforcer : public CTPolicyEnforcer {
55 public:
56 FailsTestCTPolicyEnforcer() {}
57 ~FailsTestCTPolicyEnforcer() override {}
58
59 bool DoesConformToCTEVPolicy(X509Certificate* cert,
60 const ct::EVCertsWhitelist* ev_whitelist,
61 const ct::CTVerifyResult& ct_result,
62 const BoundNetLog& net_log) override {
63 ADD_FAILURE() << "CTPolicyEnforcer::DoesConformToCTEVPolicy() should "
64 << "not be called";
65 return false;
66 }
67 };
68
69 // CTPolicyEnforcer that can simulate whether or not a given certificate 53 // CTPolicyEnforcer that can simulate whether or not a given certificate
70 // conforms to the CT/EV policy. 54 // conforms to the CT/EV policy.
71 class MockCTPolicyEnforcer : public CTPolicyEnforcer { 55 class MockCTPolicyEnforcer : public CTPolicyEnforcer {
72 public: 56 public:
73 MockCTPolicyEnforcer(bool is_ev) : is_ev_(is_ev) {} 57 MockCTPolicyEnforcer(bool is_ev) : is_ev_(is_ev) {}
74 ~MockCTPolicyEnforcer() override {} 58 ~MockCTPolicyEnforcer() override {}
75 59
76 bool DoesConformToCTEVPolicy(X509Certificate* cert, 60 bool DoesConformToCertPolicy(X509Certificate* cert,
77 const ct::EVCertsWhitelist* ev_whitelist, 61 const ct::CTVerifyResult& ct_result) override {
78 const ct::CTVerifyResult& ct_result,
79 const BoundNetLog& net_log) override {
80 return is_ev_; 62 return is_ev_;
81 } 63 }
82 64
65 bool DoesConformToEVPolicy(X509Certificate* cert,
66 CertStatus cert_status,
67 const ct::EVCertsWhitelist* ev_whitelist,
68 const BoundNetLog& net_log) override {
69 return is_ev_;
70 }
71
83 private: 72 private:
84 bool is_ev_; 73 bool is_ev_;
85 }; 74 };
86 75
87 class DummyProofVerifierCallback : public ProofVerifierCallback { 76 class DummyProofVerifierCallback : public ProofVerifierCallback {
88 public: 77 public:
89 DummyProofVerifierCallback() {} 78 DummyProofVerifierCallback() {}
90 ~DummyProofVerifierCallback() override {} 79 ~DummyProofVerifierCallback() override {}
91 80
92 void Run(bool ok, 81 void Run(bool ok,
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after
388 ASSERT_EQ(QUIC_SUCCESS, status); 377 ASSERT_EQ(QUIC_SUCCESS, status);
389 378
390 ASSERT_TRUE(details_.get()); 379 ASSERT_TRUE(details_.get());
391 ProofVerifyDetailsChromium* verify_details = 380 ProofVerifyDetailsChromium* verify_details =
392 static_cast<ProofVerifyDetailsChromium*>(details_.get()); 381 static_cast<ProofVerifyDetailsChromium*>(details_.get());
393 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, 382 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED,
394 verify_details->cert_verify_result.cert_status & 383 verify_details->cert_verify_result.cert_status &
395 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); 384 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV));
396 } 385 }
397 386
398 // Tests that the certificate policy enforcer is not consulted if 387 // Tests that the certificate policy enforcer is consulted even if
399 // the certificate is not EV. 388 // the certificate is not EV.
400 TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { 389 TEST_F(ProofVerifierChromiumTest, PolicyEnforcerConsultedIfNotEV) {
401 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); 390 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
402 ASSERT_TRUE(test_cert); 391 ASSERT_TRUE(test_cert);
403 392
404 CertVerifyResult dummy_result; 393 CertVerifyResult dummy_result;
405 dummy_result.verified_cert = test_cert; 394 dummy_result.verified_cert = test_cert;
406 dummy_result.cert_status = 0; 395 dummy_result.cert_status = 0;
407 396
408 MockCertVerifier dummy_verifier; 397 MockCertVerifier dummy_verifier;
409 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); 398 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
410 399
411 FailsTestCTPolicyEnforcer policy_enforcer; 400 MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/);
412 401
413 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, 402 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
414 nullptr, ct_verifier_.get()); 403 nullptr, ct_verifier_.get());
415 404
416 scoped_ptr<DummyProofVerifierCallback> callback( 405 scoped_ptr<DummyProofVerifierCallback> callback(
417 new DummyProofVerifierCallback); 406 new DummyProofVerifierCallback);
418 QuicAsyncStatus status = proof_verifier.VerifyProof( 407 QuicAsyncStatus status = proof_verifier.VerifyProof(
419 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), 408 kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
420 verify_context_.get(), &error_details_, &details_, callback.get()); 409 verify_context_.get(), &error_details_, &details_, callback.get());
421 ASSERT_EQ(QUIC_SUCCESS, status); 410 ASSERT_EQ(QUIC_SUCCESS, status);
422 411
423 ASSERT_TRUE(details_.get()); 412 ASSERT_TRUE(details_.get());
424 ProofVerifyDetailsChromium* verify_details = 413 ProofVerifyDetailsChromium* verify_details =
425 static_cast<ProofVerifyDetailsChromium*>(details_.get()); 414 static_cast<ProofVerifyDetailsChromium*>(details_.get());
426 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); 415 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED,
416 verify_details->cert_verify_result.cert_status);
427 } 417 }
428 418
429 } // namespace test 419 } // namespace test
430 } // namespace net 420 } // namespace net
OLDNEW
« net/cert/ct_policy_enforcer.cc ('K') | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698