OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/location.h" | 10 #include "base/location.h" |
11 #include "base/macros.h" | 11 #include "base/macros.h" |
12 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
13 #include "base/run_loop.h" | 13 #include "base/run_loop.h" |
14 #include "base/single_thread_task_runner.h" | 14 #include "base/single_thread_task_runner.h" |
15 #include "base/thread_task_runner_handle.h" | 15 #include "base/thread_task_runner_handle.h" |
16 #include "base/time/time.h" | 16 #include "base/time/time.h" |
17 #include "net/base/address_list.h" | 17 #include "net/base/address_list.h" |
18 #include "net/base/io_buffer.h" | 18 #include "net/base/io_buffer.h" |
19 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
20 #include "net/base/test_completion_callback.h" | 20 #include "net/base/test_completion_callback.h" |
21 #include "net/base/test_data_directory.h" | 21 #include "net/base/test_data_directory.h" |
22 #include "net/cert/asn1_util.h" | 22 #include "net/cert/asn1_util.h" |
23 #include "net/cert/cert_policy_enforcer.h" | 23 #include "net/cert/ct_policy_enforcer.h" |
24 #include "net/cert/ct_verifier.h" | 24 #include "net/cert/ct_verifier.h" |
25 #include "net/cert/mock_cert_verifier.h" | 25 #include "net/cert/mock_cert_verifier.h" |
26 #include "net/cert/test_root_certs.h" | 26 #include "net/cert/test_root_certs.h" |
27 #include "net/der/input.h" | 27 #include "net/der/input.h" |
28 #include "net/der/parser.h" | 28 #include "net/der/parser.h" |
29 #include "net/der/tag.h" | 29 #include "net/der/tag.h" |
30 #include "net/dns/host_resolver.h" | 30 #include "net/dns/host_resolver.h" |
31 #include "net/http/transport_security_state.h" | 31 #include "net/http/transport_security_state.h" |
32 #include "net/log/net_log.h" | 32 #include "net/log/net_log.h" |
33 #include "net/log/test_net_log.h" | 33 #include "net/log/test_net_log.h" |
(...skipping 640 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
674 class MockCTVerifier : public CTVerifier { | 674 class MockCTVerifier : public CTVerifier { |
675 public: | 675 public: |
676 MOCK_METHOD5(Verify, int(X509Certificate*, | 676 MOCK_METHOD5(Verify, int(X509Certificate*, |
677 const std::string&, | 677 const std::string&, |
678 const std::string&, | 678 const std::string&, |
679 ct::CTVerifyResult*, | 679 ct::CTVerifyResult*, |
680 const BoundNetLog&)); | 680 const BoundNetLog&)); |
681 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); | 681 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); |
682 }; | 682 }; |
683 | 683 |
684 // A mock CertPolicyEnforcer that returns a custom verification result. | 684 // A mock CTPolicyEnforcer that returns a custom verification result. |
685 class MockCertPolicyEnforcer : public CertPolicyEnforcer { | 685 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
686 public: | 686 public: |
687 MOCK_METHOD4(DoesConformToCTEVPolicy, | 687 MOCK_METHOD4(DoesConformToCTEVPolicy, |
688 bool(X509Certificate* cert, | 688 bool(X509Certificate* cert, |
689 const ct::EVCertsWhitelist*, | 689 const ct::EVCertsWhitelist*, |
690 const ct::CTVerifyResult&, | 690 const ct::CTVerifyResult&, |
691 const BoundNetLog&)); | 691 const BoundNetLog&)); |
692 }; | 692 }; |
693 | 693 |
694 class SSLClientSocketTest : public PlatformTest { | 694 class SSLClientSocketTest : public PlatformTest { |
695 public: | 695 public: |
(...skipping 12 matching lines...) Expand all Loading... |
708 | 708 |
709 // The SpawnedTestServer object, after calling StartTestServer(). | 709 // The SpawnedTestServer object, after calling StartTestServer(). |
710 const SpawnedTestServer* spawned_test_server() const { | 710 const SpawnedTestServer* spawned_test_server() const { |
711 return spawned_test_server_.get(); | 711 return spawned_test_server_.get(); |
712 } | 712 } |
713 | 713 |
714 void SetCTVerifier(CTVerifier* ct_verifier) { | 714 void SetCTVerifier(CTVerifier* ct_verifier) { |
715 context_.cert_transparency_verifier = ct_verifier; | 715 context_.cert_transparency_verifier = ct_verifier; |
716 } | 716 } |
717 | 717 |
718 void SetCertPolicyEnforcer(CertPolicyEnforcer* policy_enforcer) { | 718 void SetCTPolicyEnforcer(CTPolicyEnforcer* policy_enforcer) { |
719 context_.cert_policy_enforcer = policy_enforcer; | 719 context_.ct_policy_enforcer = policy_enforcer; |
720 } | 720 } |
721 | 721 |
722 // Starts the test server with SSL configuration |ssl_options|. Returns true | 722 // Starts the test server with SSL configuration |ssl_options|. Returns true |
723 // on success. | 723 // on success. |
724 bool StartTestServer(const SpawnedTestServer::SSLOptions& ssl_options) { | 724 bool StartTestServer(const SpawnedTestServer::SSLOptions& ssl_options) { |
725 spawned_test_server_.reset(new SpawnedTestServer( | 725 spawned_test_server_.reset(new SpawnedTestServer( |
726 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); | 726 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); |
727 if (!spawned_test_server_->Start()) { | 727 if (!spawned_test_server_->Start()) { |
728 LOG(ERROR) << "Could not start SpawnedTestServer"; | 728 LOG(ERROR) << "Could not start SpawnedTestServer"; |
729 return false; | 729 return false; |
(...skipping 1578 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2308 int rv; | 2308 int rv; |
2309 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2309 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
2310 EXPECT_EQ(OK, rv); | 2310 EXPECT_EQ(OK, rv); |
2311 | 2311 |
2312 SSLInfo result; | 2312 SSLInfo result; |
2313 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2313 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
2314 | 2314 |
2315 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); | 2315 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); |
2316 } | 2316 } |
2317 | 2317 |
2318 // Test that when a CT verifier and a CertPolicyEnforcer are defined, and | 2318 // Test that when a CT verifier and a CTPolicyEnforcer are defined, and |
2319 // the EV certificate used conforms to the CT/EV policy, its EV status | 2319 // the EV certificate used conforms to the CT/EV policy, its EV status |
2320 // is maintained. | 2320 // is maintained. |
2321 TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { | 2321 TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { |
2322 SpawnedTestServer::SSLOptions ssl_options; | 2322 SpawnedTestServer::SSLOptions ssl_options; |
2323 ASSERT_TRUE(StartTestServer(ssl_options)); | 2323 ASSERT_TRUE(StartTestServer(ssl_options)); |
2324 | 2324 |
2325 SSLConfig ssl_config; | 2325 SSLConfig ssl_config; |
2326 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2326 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
2327 | 2327 |
2328 // To activate the CT/EV policy enforcement non-null CTVerifier and | 2328 // To activate the CT/EV policy enforcement non-null CTVerifier and |
2329 // CertPolicyEnforcer are needed. | 2329 // CTPolicyEnforcer are needed. |
2330 MockCTVerifier ct_verifier; | 2330 MockCTVerifier ct_verifier; |
2331 SetCTVerifier(&ct_verifier); | 2331 SetCTVerifier(&ct_verifier); |
2332 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | 2332 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
2333 | 2333 |
2334 // Emulate compliance of the certificate to the policy. | 2334 // Emulate compliance of the certificate to the policy. |
2335 MockCertPolicyEnforcer policy_enforcer; | 2335 MockCTPolicyEnforcer policy_enforcer; |
2336 SetCertPolicyEnforcer(&policy_enforcer); | 2336 SetCTPolicyEnforcer(&policy_enforcer); |
2337 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2337 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
2338 .WillRepeatedly(Return(true)); | 2338 .WillRepeatedly(Return(true)); |
2339 | 2339 |
2340 int rv; | 2340 int rv; |
2341 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2341 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
2342 EXPECT_EQ(OK, rv); | 2342 EXPECT_EQ(OK, rv); |
2343 | 2343 |
2344 SSLInfo result; | 2344 SSLInfo result; |
2345 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2345 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
2346 | 2346 |
2347 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); | 2347 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); |
2348 } | 2348 } |
2349 | 2349 |
2350 // Test that when a CT verifier and a CertPolicyEnforcer are defined, but | 2350 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but |
2351 // the EV certificate used does not conform to the CT/EV policy, its EV status | 2351 // the EV certificate used does not conform to the CT/EV policy, its EV status |
2352 // is removed. | 2352 // is removed. |
2353 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { | 2353 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { |
2354 SpawnedTestServer::SSLOptions ssl_options; | 2354 SpawnedTestServer::SSLOptions ssl_options; |
2355 ASSERT_TRUE(StartTestServer(ssl_options)); | 2355 ASSERT_TRUE(StartTestServer(ssl_options)); |
2356 | 2356 |
2357 SSLConfig ssl_config; | 2357 SSLConfig ssl_config; |
2358 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2358 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
2359 | 2359 |
2360 // To activate the CT/EV policy enforcement non-null CTVerifier and | 2360 // To activate the CT/EV policy enforcement non-null CTVerifier and |
2361 // CertPolicyEnforcer are needed. | 2361 // CTPolicyEnforcer are needed. |
2362 MockCTVerifier ct_verifier; | 2362 MockCTVerifier ct_verifier; |
2363 SetCTVerifier(&ct_verifier); | 2363 SetCTVerifier(&ct_verifier); |
2364 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | 2364 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
2365 | 2365 |
2366 // Emulate non-compliance of the certificate to the policy. | 2366 // Emulate non-compliance of the certificate to the policy. |
2367 MockCertPolicyEnforcer policy_enforcer; | 2367 MockCTPolicyEnforcer policy_enforcer; |
2368 SetCertPolicyEnforcer(&policy_enforcer); | 2368 SetCTPolicyEnforcer(&policy_enforcer); |
2369 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2369 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
2370 .WillRepeatedly(Return(false)); | 2370 .WillRepeatedly(Return(false)); |
2371 | 2371 |
2372 int rv; | 2372 int rv; |
2373 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2373 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
2374 EXPECT_EQ(OK, rv); | 2374 EXPECT_EQ(OK, rv); |
2375 | 2375 |
2376 SSLInfo result; | 2376 SSLInfo result; |
2377 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2377 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
2378 | 2378 |
(...skipping 856 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3235 int rv; | 3235 int rv; |
3236 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3236 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
3237 EXPECT_EQ(OK, rv); | 3237 EXPECT_EQ(OK, rv); |
3238 | 3238 |
3239 std::string proto; | 3239 std::string proto; |
3240 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, | 3240 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, |
3241 sock_->GetNextProto(&proto)); | 3241 sock_->GetNextProto(&proto)); |
3242 } | 3242 } |
3243 | 3243 |
3244 } // namespace net | 3244 } // namespace net |
OLD | NEW |