Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(133)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_unittest.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: update some comments Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/ct_policy_enforcer.cc ('K') | « net/socket/ssl_client_socket_openssl.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_unittest.cc
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 989981925304fd8ce167677b8b575f97df718d07..45207e9997100647d04406cc7086cc74a4768f38 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -684,7 +684,7 @@ class MockCTVerifier : public CTVerifier {
// A mock CTPolicyEnforcer that returns a custom verification result.
class MockCTPolicyEnforcer : public CTPolicyEnforcer {
public:
- MOCK_METHOD4(DoesConformToCTEVPolicy,
+ MOCK_METHOD4(DoesConformToCTPolicy,
bool(X509Certificate* cert,
const ct::EVCertsWhitelist*,
const ct::CTVerifyResult&,
@@ -2334,7 +2334,7 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) {
// Emulate compliance of the certificate to the policy.
MockCTPolicyEnforcer policy_enforcer;
SetCTPolicyEnforcer(&policy_enforcer);
- EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _))
+ EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _))
.WillRepeatedly(Return(true));
int rv;
@@ -2366,7 +2366,7 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
// Emulate non-compliance of the certificate to the policy.
MockCTPolicyEnforcer policy_enforcer;
SetCTPolicyEnforcer(&policy_enforcer);
- EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _))
+ EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _))
.WillRepeatedly(Return(false));
int rv;
@@ -2380,6 +2380,37 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED);
}
+// Test that when a CT verifier and a CTPolicyEnforcer are defined, but
+// the non-EV certificate used does not conform to the CT/EV policy, the
+// correct cert status flag is set.
+TEST_F(SSLClientSocketTest, CertStatusSetForNonCompliantNonEVCert) {
+ SpawnedTestServer::SSLOptions ssl_options;
+ ASSERT_TRUE(StartTestServer(ssl_options));
+
+ SSLConfig ssl_config;
+
+ // To activate the CT/EV policy enforcement non-null CTVerifier and
+ // CTPolicyEnforcer are needed.
+ MockCTVerifier ct_verifier;
+ SetCTVerifier(&ct_verifier);
+ EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK));
+
+ // Emulate non-compliance of the certificate to the policy.
+ MockCTPolicyEnforcer policy_enforcer;
+ SetCTPolicyEnforcer(&policy_enforcer);
+ EXPECT_CALL(policy_enforcer, DoesConformToCTPolicy(_, _, _, _))
+ .WillRepeatedly(Return(false));
+
+ int rv;
+ ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+ EXPECT_EQ(OK, rv);
+
+ SSLInfo result;
+ ASSERT_TRUE(sock_->GetSSLInfo(&result));
+
+ EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED);
+}
+
namespace {
bool IsValidOCSPResponse(const base::StringPiece& input) {
« net/cert/ct_policy_enforcer.cc ('K') | « net/socket/ssl_client_socket_openssl.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698