| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/location.h" | 10 #include "base/location.h" |
| (...skipping 666 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 677 const std::string&, | 677 const std::string&, |
| 678 const std::string&, | 678 const std::string&, |
| 679 ct::CTVerifyResult*, | 679 ct::CTVerifyResult*, |
| 680 const BoundNetLog&)); | 680 const BoundNetLog&)); |
| 681 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); | 681 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); |
| 682 }; | 682 }; |
| 683 | 683 |
| 684 // A mock CTPolicyEnforcer that returns a custom verification result. | 684 // A mock CTPolicyEnforcer that returns a custom verification result. |
| 685 class MockCTPolicyEnforcer : public CTPolicyEnforcer { | 685 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
| 686 public: | 686 public: |
| 687 MOCK_METHOD4(DoesConformToCTEVPolicy, | 687 MOCK_METHOD4(DoesConformToCTPolicy, |
| 688 bool(X509Certificate* cert, | 688 bool(X509Certificate* cert, |
| 689 const ct::EVCertsWhitelist*, | 689 const ct::EVCertsWhitelist*, |
| 690 const ct::CTVerifyResult&, | 690 const ct::CTVerifyResult&, |
| 691 const BoundNetLog&)); | 691 const BoundNetLog&)); |
| 692 }; | 692 }; |
| 693 | 693 |
| 694 class SSLClientSocketTest : public PlatformTest { | 694 class SSLClientSocketTest : public PlatformTest { |
| 695 public: | 695 public: |
| 696 SSLClientSocketTest() | 696 SSLClientSocketTest() |
| 697 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 697 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| (...skipping 1629 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2327 | 2327 |
| 2328 // To activate the CT/EV policy enforcement non-null CTVerifier and | 2328 // To activate the CT/EV policy enforcement non-null CTVerifier and |
| 2329 // CTPolicyEnforcer are needed. | 2329 // CTPolicyEnforcer are needed. |
| 2330 MockCTVerifier ct_verifier; | 2330 MockCTVerifier ct_verifier; |
| 2331 SetCTVerifier(&ct_verifier); | 2331 SetCTVerifier(&ct_verifier); |
| 2332 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | 2332 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
| 2333 | 2333 |
| 2334 // Emulate compliance of the certificate to the policy. | 2334 // Emulate compliance of the certificate to the policy. |
| 2335 MockCTPolicyEnforcer policy_enforcer; | 2335 MockCTPolicyEnforcer policy_enforcer; |
| 2336 SetCTPolicyEnforcer(&policy_enforcer); | 2336 SetCTPolicyEnforcer(&policy_enforcer); |
| 2337 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2337 EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _)) |
| 2338 .WillRepeatedly(Return(true)); | 2338 .WillRepeatedly(Return(true)); |
| 2339 | 2339 |
| 2340 int rv; | 2340 int rv; |
| 2341 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2341 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2342 EXPECT_EQ(OK, rv); | 2342 EXPECT_EQ(OK, rv); |
| 2343 | 2343 |
| 2344 SSLInfo result; | 2344 SSLInfo result; |
| 2345 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2345 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2346 | 2346 |
| 2347 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); | 2347 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 2359 | 2359 |
| 2360 // To activate the CT/EV policy enforcement non-null CTVerifier and | 2360 // To activate the CT/EV policy enforcement non-null CTVerifier and |
| 2361 // CTPolicyEnforcer are needed. | 2361 // CTPolicyEnforcer are needed. |
| 2362 MockCTVerifier ct_verifier; | 2362 MockCTVerifier ct_verifier; |
| 2363 SetCTVerifier(&ct_verifier); | 2363 SetCTVerifier(&ct_verifier); |
| 2364 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | 2364 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
| 2365 | 2365 |
| 2366 // Emulate non-compliance of the certificate to the policy. | 2366 // Emulate non-compliance of the certificate to the policy. |
| 2367 MockCTPolicyEnforcer policy_enforcer; | 2367 MockCTPolicyEnforcer policy_enforcer; |
| 2368 SetCTPolicyEnforcer(&policy_enforcer); | 2368 SetCTPolicyEnforcer(&policy_enforcer); |
| 2369 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2369 EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _)) |
| 2370 .WillRepeatedly(Return(false)); | 2370 .WillRepeatedly(Return(false)); |
| 2371 | 2371 |
| 2372 int rv; | 2372 int rv; |
| 2373 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2373 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2374 EXPECT_EQ(OK, rv); | 2374 EXPECT_EQ(OK, rv); |
| 2375 | 2375 |
| 2376 SSLInfo result; | 2376 SSLInfo result; |
| 2377 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2377 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2378 | 2378 |
| 2379 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); | 2379 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); |
| 2380 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); | 2380 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
| 2381 } | 2381 } |
| 2382 | 2382 |
| 2383 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but |
| 2384 // the non-EV certificate used does not conform to the CT/EV policy, the |
| 2385 // correct cert status flag is set. |
| 2386 TEST_F(SSLClientSocketTest, CertStatusSetForNonCompliantNonEVCert) { |
| 2387 SpawnedTestServer::SSLOptions ssl_options; |
| 2388 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2389 |
| 2390 SSLConfig ssl_config; |
| 2391 |
| 2392 // To activate the CT/EV policy enforcement non-null CTVerifier and |
| 2393 // CTPolicyEnforcer are needed. |
| 2394 MockCTVerifier ct_verifier; |
| 2395 SetCTVerifier(&ct_verifier); |
| 2396 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
| 2397 |
| 2398 // Emulate non-compliance of the certificate to the policy. |
| 2399 MockCTPolicyEnforcer policy_enforcer; |
| 2400 SetCTPolicyEnforcer(&policy_enforcer); |
| 2401 EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _)) |
| 2402 .WillRepeatedly(Return(false)); |
| 2403 |
| 2404 int rv; |
| 2405 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2406 EXPECT_EQ(OK, rv); |
| 2407 |
| 2408 SSLInfo result; |
| 2409 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2410 |
| 2411 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
| 2412 } |
| 2413 |
| 2383 namespace { | 2414 namespace { |
| 2384 | 2415 |
| 2385 bool IsValidOCSPResponse(const base::StringPiece& input) { | 2416 bool IsValidOCSPResponse(const base::StringPiece& input) { |
| 2386 der::Parser parser(der::Input(reinterpret_cast<const uint8_t*>(input.data()), | 2417 der::Parser parser(der::Input(reinterpret_cast<const uint8_t*>(input.data()), |
| 2387 input.length())); | 2418 input.length())); |
| 2388 der::Parser sequence; | 2419 der::Parser sequence; |
| 2389 return parser.ReadSequence(&sequence) && !parser.HasMore() && | 2420 return parser.ReadSequence(&sequence) && !parser.HasMore() && |
| 2390 sequence.SkipTag(der::kEnumerated) && | 2421 sequence.SkipTag(der::kEnumerated) && |
| 2391 sequence.SkipTag(der::kTagContextSpecific | der::kTagConstructed | | 2422 sequence.SkipTag(der::kTagContextSpecific | der::kTagConstructed | |
| 2392 0) && | 2423 0) && |
| (...skipping 842 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3235 int rv; | 3266 int rv; |
| 3236 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3267 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
| 3237 EXPECT_EQ(OK, rv); | 3268 EXPECT_EQ(OK, rv); |
| 3238 | 3269 |
| 3239 std::string proto; | 3270 std::string proto; |
| 3240 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, | 3271 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, |
| 3241 sock_->GetNextProto(&proto)); | 3272 sock_->GetNextProto(&proto)); |
| 3242 } | 3273 } |
| 3243 | 3274 |
| 3244 } // namespace net | 3275 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master