| Index: net/socket/ssl_client_socket_unittest.cc
|
| diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
|
| index 989981925304fd8ce167677b8b575f97df718d07..38b5ce9e19f991f6c5ce773a3e550b28e362e1a2 100644
|
| --- a/net/socket/ssl_client_socket_unittest.cc
|
| +++ b/net/socket/ssl_client_socket_unittest.cc
|
| @@ -684,10 +684,12 @@ class MockCTVerifier : public CTVerifier {
|
| // A mock CTPolicyEnforcer that returns a custom verification result.
|
| class MockCTPolicyEnforcer : public CTPolicyEnforcer {
|
| public:
|
| - MOCK_METHOD4(DoesConformToCTEVPolicy,
|
| + MOCK_METHOD2(DoesConformToCertPolicy,
|
| + bool(X509Certificate* cert, const ct::CTVerifyResult&));
|
| + MOCK_METHOD4(DoesConformToEVPolicy,
|
| bool(X509Certificate* cert,
|
| + CertStatus cert_status,
|
| const ct::EVCertsWhitelist*,
|
| - const ct::CTVerifyResult&,
|
| const BoundNetLog&));
|
| };
|
|
|
| @@ -2334,7 +2336,9 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) {
|
| // Emulate compliance of the certificate to the policy.
|
| MockCTPolicyEnforcer policy_enforcer;
|
| SetCTPolicyEnforcer(&policy_enforcer);
|
| - EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _))
|
| + EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _))
|
| + .WillRepeatedly(Return(true));
|
| + EXPECT_CALL(policy_enforcer, DoesConformToEVPolicy(_, _, _, _))
|
| .WillRepeatedly(Return(true));
|
|
|
| int rv;
|
| @@ -2366,7 +2370,9 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
|
| // Emulate non-compliance of the certificate to the policy.
|
| MockCTPolicyEnforcer policy_enforcer;
|
| SetCTPolicyEnforcer(&policy_enforcer);
|
| - EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _))
|
| + EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _))
|
| + .WillRepeatedly(Return(false));
|
| + EXPECT_CALL(policy_enforcer, DoesConformToEVPolicy(_, _, _, _))
|
| .WillRepeatedly(Return(false));
|
|
|
| int rv;
|
| @@ -2380,6 +2386,37 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
|
| EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED);
|
| }
|
|
|
| +// Test that when a CT verifier and a CTPolicyEnforcer are defined, but
|
| +// the non-EV certificate used does not conform to the CT/EV policy, the
|
| +// correct cert status flag is set.
|
| +TEST_F(SSLClientSocketTest, CertStatusSetForNonCompliantNonEVCert) {
|
| + SpawnedTestServer::SSLOptions ssl_options;
|
| + ASSERT_TRUE(StartTestServer(ssl_options));
|
| +
|
| + SSLConfig ssl_config;
|
| +
|
| + // To activate the CT/EV policy enforcement non-null CTVerifier and
|
| + // CTPolicyEnforcer are needed.
|
| + MockCTVerifier ct_verifier;
|
| + SetCTVerifier(&ct_verifier);
|
| + EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK));
|
| +
|
| + // Emulate non-compliance of the certificate to the policy.
|
| + MockCTPolicyEnforcer policy_enforcer;
|
| + SetCTPolicyEnforcer(&policy_enforcer);
|
| + EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _))
|
| + .WillRepeatedly(Return(false));
|
| +
|
| + int rv;
|
| + ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
|
| + EXPECT_EQ(OK, rv);
|
| +
|
| + SSLInfo result;
|
| + ASSERT_TRUE(sock_->GetSSLInfo(&result));
|
| +
|
| + EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED);
|
| +}
|
| +
|
| namespace {
|
|
|
| bool IsValidOCSPResponse(const base::StringPiece& input) {
|
|
|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master