OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
9 #include "base/macros.h" | 9 #include "base/macros.h" |
10 #include "base/strings/string_split.h" | 10 #include "base/strings/string_split.h" |
(...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
151 secure_explanations[0].description); | 151 secure_explanations[0].description); |
152 int cert_id = browser->tab_strip_model() | 152 int cert_id = browser->tab_strip_model() |
153 ->GetActiveWebContents() | 153 ->GetActiveWebContents() |
154 ->GetController() | 154 ->GetController() |
155 .GetActiveEntry() | 155 .GetActiveEntry() |
156 ->GetSSL() | 156 ->GetSSL() |
157 .cert_id; | 157 .cert_id; |
158 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); | 158 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); |
159 } | 159 } |
160 | 160 |
161 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 161 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
162 secure_explanations.back().summary); | 162 secure_explanations.back().summary); |
163 EXPECT_EQ( | 163 |
164 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION), | 164 content::WebContents* web_contents = |
165 secure_explanations.back().description); | 165 browser->tab_strip_model()->GetActiveWebContents(); |
| 166 const SecurityStateModel::SecurityInfo& security_info = |
| 167 ChromeSecurityStateModelClient::FromWebContents(web_contents) |
| 168 ->GetSecurityInfo(); |
| 169 |
| 170 const char *protocol, *key_exchange, *cipher, *mac; |
| 171 int ssl_version = |
| 172 net::SSLConnectionStatusToVersion(security_info.connection_status); |
| 173 net::SSLVersionToString(&protocol, ssl_version); |
| 174 bool is_aead; |
| 175 uint16_t cipher_suite = |
| 176 net::SSLConnectionStatusToCipherSuite(security_info.connection_status); |
| 177 net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, |
| 178 cipher_suite); |
| 179 EXPECT_TRUE(is_aead); |
| 180 EXPECT_EQ(NULL, mac); // The default secure cipher does not have a MAC. |
| 181 |
| 182 std::vector<base::string16> description_replacements; |
| 183 description_replacements.push_back(base::ASCIIToUTF16(protocol)); |
| 184 description_replacements.push_back(base::ASCIIToUTF16(key_exchange)); |
| 185 description_replacements.push_back(base::ASCIIToUTF16(cipher)); |
| 186 base::string16 secure_description = l10n_util::GetStringFUTF16( |
| 187 IDS_STRONG_SSL_DESCRIPTION, description_replacements, nullptr); |
| 188 |
| 189 EXPECT_EQ(secure_description, |
| 190 base::ASCIIToUTF16(secure_explanations.back().description)); |
166 } | 191 } |
167 | 192 |
168 void CheckSecurityInfoForSecure( | 193 void CheckSecurityInfoForSecure( |
169 content::WebContents* contents, | 194 content::WebContents* contents, |
170 SecurityStateModel::SecurityLevel expect_security_level, | 195 SecurityStateModel::SecurityLevel expect_security_level, |
171 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, | 196 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, |
172 SecurityStateModel::ContentStatus expect_mixed_content_status, | 197 SecurityStateModel::ContentStatus expect_mixed_content_status, |
173 bool pkp_bypassed, | 198 bool pkp_bypassed, |
174 bool expect_cert_error) { | 199 bool expect_cert_error) { |
175 ASSERT_TRUE(contents); | 200 ASSERT_TRUE(contents); |
(...skipping 898 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1074 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); | 1099 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); |
1075 EXPECT_FALSE(observer.latest_explanations().pkp_bypassed); | 1100 EXPECT_FALSE(observer.latest_explanations().pkp_bypassed); |
1076 EXPECT_TRUE(observer.latest_explanations().info_explanations.empty()); | 1101 EXPECT_TRUE(observer.latest_explanations().info_explanations.empty()); |
1077 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); | 1102 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); |
1078 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); | 1103 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); |
1079 } | 1104 } |
1080 | 1105 |
1081 // After AddNonsecureUrlHandler() is called, requests to this hostname | 1106 // After AddNonsecureUrlHandler() is called, requests to this hostname |
1082 // will use obsolete TLS settings. | 1107 // will use obsolete TLS settings. |
1083 const char kMockNonsecureHostname[] = "example-nonsecure.test"; | 1108 const char kMockNonsecureHostname[] = "example-nonsecure.test"; |
| 1109 const int kObsoleteTLSVersion = net::SSL_CONNECTION_VERSION_TLS1_1; |
| 1110 // ECDHE_RSA + AES_128_CBC with HMAC-SHA1 |
| 1111 const uint16_t kObsoleteCipherSuite = 0xc013; |
1084 | 1112 |
1085 // A URLRequestMockHTTPJob that mocks a TLS connection with an obsolete | 1113 // A URLRequestMockHTTPJob that mocks a TLS connection with the obsolete |
1086 // protocol version. | 1114 // TLS settings specified in kObsoleteTLSVersion and |
| 1115 // kObsoleteCipherSuite. |
1087 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { | 1116 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { |
1088 public: | 1117 public: |
1089 URLRequestObsoleteTLSJob(net::URLRequest* request, | 1118 URLRequestObsoleteTLSJob(net::URLRequest* request, |
1090 net::NetworkDelegate* network_delegate, | 1119 net::NetworkDelegate* network_delegate, |
1091 const base::FilePath& file_path, | 1120 const base::FilePath& file_path, |
1092 scoped_refptr<net::X509Certificate> cert, | 1121 scoped_refptr<net::X509Certificate> cert, |
1093 scoped_refptr<base::TaskRunner> task_runner) | 1122 scoped_refptr<base::TaskRunner> task_runner) |
1094 : net::URLRequestMockHTTPJob(request, | 1123 : net::URLRequestMockHTTPJob(request, |
1095 network_delegate, | 1124 network_delegate, |
1096 file_path, | 1125 file_path, |
1097 task_runner), | 1126 task_runner), |
1098 cert_(std::move(cert)) {} | 1127 cert_(std::move(cert)) {} |
1099 | 1128 |
1100 void GetResponseInfo(net::HttpResponseInfo* info) override { | 1129 void GetResponseInfo(net::HttpResponseInfo* info) override { |
1101 net::URLRequestMockHTTPJob::GetResponseInfo(info); | 1130 net::URLRequestMockHTTPJob::GetResponseInfo(info); |
1102 net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_1, | 1131 net::SSLConnectionStatusSetVersion(kObsoleteTLSVersion, |
1103 &info->ssl_info.connection_status); | 1132 &info->ssl_info.connection_status); |
1104 const uint16_t kTlsEcdheRsaWithAes128CbcSha = 0xc013; | 1133 net::SSLConnectionStatusSetCipherSuite(kObsoleteCipherSuite, |
1105 net::SSLConnectionStatusSetCipherSuite(kTlsEcdheRsaWithAes128CbcSha, | |
1106 &info->ssl_info.connection_status); | 1134 &info->ssl_info.connection_status); |
1107 info->ssl_info.cert = cert_; | 1135 info->ssl_info.cert = cert_; |
1108 } | 1136 } |
1109 | 1137 |
1110 protected: | 1138 protected: |
1111 ~URLRequestObsoleteTLSJob() override {} | 1139 ~URLRequestObsoleteTLSJob() override {} |
1112 | 1140 |
1113 private: | 1141 private: |
1114 const scoped_refptr<net::X509Certificate> cert_; | 1142 const scoped_refptr<net::X509Certificate> cert_; |
1115 | 1143 |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1203 // The security style of the page doesn't get downgraded for obsolete | 1231 // The security style of the page doesn't get downgraded for obsolete |
1204 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. | 1232 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. |
1205 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, | 1233 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, |
1206 observer.latest_security_style()); | 1234 observer.latest_security_style()); |
1207 | 1235 |
1208 // The messages explaining the security style do, however, get | 1236 // The messages explaining the security style do, however, get |
1209 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when | 1237 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when |
1210 // the TLS settings are obsolete. | 1238 // the TLS settings are obsolete. |
1211 for (const auto& explanation : | 1239 for (const auto& explanation : |
1212 observer.latest_explanations().secure_explanations) { | 1240 observer.latest_explanations().secure_explanations) { |
1213 EXPECT_NE(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 1241 EXPECT_NE(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
1214 explanation.summary); | 1242 explanation.summary); |
1215 } | 1243 } |
| 1244 |
| 1245 // Populate description string replacement with values corresponding |
| 1246 // to test constants. |
| 1247 std::vector<base::string16> description_replacements; |
| 1248 description_replacements.push_back( |
| 1249 l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_PROTOCOL)); |
| 1250 description_replacements.push_back(base::ASCIIToUTF16("TLS 1.1")); |
| 1251 description_replacements.push_back( |
| 1252 l10n_util::GetStringUTF16(IDS_SSL_A_STRONG_KEY_EXCHANGE)); |
| 1253 description_replacements.push_back(base::ASCIIToUTF16("ECDHE_RSA")); |
| 1254 description_replacements.push_back( |
| 1255 l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_CIPHER)); |
| 1256 description_replacements.push_back( |
| 1257 base::ASCIIToUTF16("AES_128_CBC with HMAC-SHA1")); |
| 1258 base::string16 obsolete_description = l10n_util::GetStringFUTF16( |
| 1259 IDS_OBSOLETE_SSL_DESCRIPTION, description_replacements, nullptr); |
| 1260 |
| 1261 EXPECT_EQ( |
| 1262 obsolete_description, |
| 1263 base::ASCIIToUTF16( |
| 1264 observer.latest_explanations().info_explanations[0].description)); |
1216 } | 1265 } |
1217 | 1266 |
1218 // After AddSCTUrlHandler() is called, requests to this hostname | 1267 // After AddSCTUrlHandler() is called, requests to this hostname |
1219 // will be served with Signed Certificate Timestamps. | 1268 // will be served with Signed Certificate Timestamps. |
1220 const char kMockHostnameWithSCTs[] = "example-scts.test"; | 1269 const char kMockHostnameWithSCTs[] = "example-scts.test"; |
1221 | 1270 |
1222 // URLRequestJobWithSCTs mocks a connection that includes a set of dummy | 1271 // URLRequestJobWithSCTs mocks a connection that includes a set of dummy |
1223 // SCTs with these statuses. | 1272 // SCTs with these statuses. |
1224 const std::vector<net::ct::SCTVerifyStatus> kTestSCTStatuses{ | 1273 const std::vector<net::ct::SCTVerifyStatus> kTestSCTStatuses{ |
1225 net::ct::SCT_STATUS_OK, net::ct::SCT_STATUS_LOG_UNKNOWN, | 1274 net::ct::SCT_STATUS_OK, net::ct::SCT_STATUS_LOG_UNKNOWN, |
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1346 ChromeSecurityStateModelClient* model_client = | 1395 ChromeSecurityStateModelClient* model_client = |
1347 ChromeSecurityStateModelClient::FromWebContents(web_contents); | 1396 ChromeSecurityStateModelClient::FromWebContents(web_contents); |
1348 ASSERT_TRUE(model_client); | 1397 ASSERT_TRUE(model_client); |
1349 const SecurityStateModel::SecurityInfo& security_info = | 1398 const SecurityStateModel::SecurityInfo& security_info = |
1350 model_client->GetSecurityInfo(); | 1399 model_client->GetSecurityInfo(); |
1351 EXPECT_EQ(SecurityStateModel::SECURE, security_info.security_level); | 1400 EXPECT_EQ(SecurityStateModel::SECURE, security_info.security_level); |
1352 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); | 1401 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); |
1353 } | 1402 } |
1354 | 1403 |
1355 } // namespace | 1404 } // namespace |
OLD | NEW |