| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "net/base/net_errors.h" | 9 #include "net/base/net_errors.h" |
| 10 #include "net/base/test_data_directory.h" | 10 #include "net/base/test_data_directory.h" |
| (...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 215 // Tests that the ProofVerifier fails verification if certificate | 215 // Tests that the ProofVerifier fails verification if certificate |
| 216 // verification fails. | 216 // verification fails. |
| 217 TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) { | 217 TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) { |
| 218 MockCertVerifier dummy_verifier; | 218 MockCertVerifier dummy_verifier; |
| 219 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, | 219 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, |
| 220 ct_verifier_.get()); | 220 ct_verifier_.get()); |
| 221 | 221 |
| 222 scoped_ptr<DummyProofVerifierCallback> callback( | 222 scoped_ptr<DummyProofVerifierCallback> callback( |
| 223 new DummyProofVerifierCallback); | 223 new DummyProofVerifierCallback); |
| 224 QuicAsyncStatus status = proof_verifier.VerifyProof( | 224 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 225 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), | 225 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 226 verify_context_.get(), &error_details_, &details_, callback.get()); | 226 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 227 callback.get()); |
| 227 ASSERT_EQ(QUIC_FAILURE, status); | 228 ASSERT_EQ(QUIC_FAILURE, status); |
| 228 } | 229 } |
| 229 | 230 |
| 230 // Valid SCT, but invalid signature. | 231 // Valid SCT, but invalid signature. |
| 231 TEST_F(ProofVerifierChromiumTest, ValidSCTList) { | 232 TEST_F(ProofVerifierChromiumTest, ValidSCTList) { |
| 232 // Use different certificates for SCT tests. | 233 // Use different certificates for SCT tests. |
| 233 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); | 234 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); |
| 234 | 235 |
| 235 MockCertVerifier cert_verifier; | 236 MockCertVerifier cert_verifier; |
| 236 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 237 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, |
| 237 ct_verifier_.get()); | 238 ct_verifier_.get()); |
| 238 | 239 |
| 239 scoped_ptr<DummyProofVerifierCallback> callback( | 240 scoped_ptr<DummyProofVerifierCallback> callback( |
| 240 new DummyProofVerifierCallback); | 241 new DummyProofVerifierCallback); |
| 241 QuicAsyncStatus status = proof_verifier.VerifyProof( | 242 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 242 kTestHostname, kTestConfig, certs_, ct::GetSCTListForTesting(), "", | 243 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, |
| 243 verify_context_.get(), &error_details_, &details_, callback.get()); | 244 ct::GetSCTListForTesting(), "", verify_context_.get(), &error_details_, |
| 245 &details_, callback.get()); |
| 244 ASSERT_EQ(QUIC_FAILURE, status); | 246 ASSERT_EQ(QUIC_FAILURE, status); |
| 245 CheckSCT(/*sct_expected_ok=*/true); | 247 CheckSCT(/*sct_expected_ok=*/true); |
| 246 } | 248 } |
| 247 | 249 |
| 248 // Invalid SCT and signature. | 250 // Invalid SCT and signature. |
| 249 TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { | 251 TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { |
| 250 // Use different certificates for SCT tests. | 252 // Use different certificates for SCT tests. |
| 251 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); | 253 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); |
| 252 | 254 |
| 253 MockCertVerifier cert_verifier; | 255 MockCertVerifier cert_verifier; |
| 254 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 256 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, |
| 255 ct_verifier_.get()); | 257 ct_verifier_.get()); |
| 256 | 258 |
| 257 scoped_ptr<DummyProofVerifierCallback> callback( | 259 scoped_ptr<DummyProofVerifierCallback> callback( |
| 258 new DummyProofVerifierCallback); | 260 new DummyProofVerifierCallback); |
| 259 QuicAsyncStatus status = proof_verifier.VerifyProof( | 261 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 260 kTestHostname, kTestConfig, certs_, ct::GetSCTListWithInvalidSCT(), "", | 262 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, |
| 261 verify_context_.get(), &error_details_, &details_, callback.get()); | 263 ct::GetSCTListWithInvalidSCT(), "", verify_context_.get(), |
| 264 &error_details_, &details_, callback.get()); |
| 262 ASSERT_EQ(QUIC_FAILURE, status); | 265 ASSERT_EQ(QUIC_FAILURE, status); |
| 263 CheckSCT(/*sct_expected_ok=*/false); | 266 CheckSCT(/*sct_expected_ok=*/false); |
| 264 } | 267 } |
| 265 | 268 |
| 266 // Tests that the ProofVerifier doesn't verify certificates if the config | 269 // Tests that the ProofVerifier doesn't verify certificates if the config |
| 267 // signature fails. | 270 // signature fails. |
| 268 TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { | 271 TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { |
| 269 FailsTestCertVerifier cert_verifier; | 272 FailsTestCertVerifier cert_verifier; |
| 270 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 273 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, |
| 271 ct_verifier_.get()); | 274 ct_verifier_.get()); |
| 272 | 275 |
| 273 scoped_ptr<DummyProofVerifierCallback> callback( | 276 scoped_ptr<DummyProofVerifierCallback> callback( |
| 274 new DummyProofVerifierCallback); | 277 new DummyProofVerifierCallback); |
| 275 QuicAsyncStatus status = proof_verifier.VerifyProof( | 278 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 276 kTestHostname, kTestConfig, certs_, "", kTestConfig, | 279 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", kTestConfig, |
| 277 verify_context_.get(), &error_details_, &details_, callback.get()); | 280 verify_context_.get(), &error_details_, &details_, callback.get()); |
| 278 ASSERT_EQ(QUIC_FAILURE, status); | 281 ASSERT_EQ(QUIC_FAILURE, status); |
| 279 } | 282 } |
| 280 | 283 |
| 281 // Tests that EV certificates are left as EV if there is no certificate | 284 // Tests that EV certificates are left as EV if there is no certificate |
| 282 // policy enforcement. | 285 // policy enforcement. |
| 283 TEST_F(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) { | 286 TEST_F(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) { |
| 284 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 287 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 285 ASSERT_TRUE(test_cert); | 288 ASSERT_TRUE(test_cert); |
| 286 | 289 |
| 287 CertVerifyResult dummy_result; | 290 CertVerifyResult dummy_result; |
| 288 dummy_result.verified_cert = test_cert; | 291 dummy_result.verified_cert = test_cert; |
| 289 dummy_result.cert_status = CERT_STATUS_IS_EV; | 292 dummy_result.cert_status = CERT_STATUS_IS_EV; |
| 290 | 293 |
| 291 MockCertVerifier dummy_verifier; | 294 MockCertVerifier dummy_verifier; |
| 292 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 295 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 293 | 296 |
| 294 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, | 297 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, |
| 295 ct_verifier_.get()); | 298 ct_verifier_.get()); |
| 296 | 299 |
| 297 scoped_ptr<DummyProofVerifierCallback> callback( | 300 scoped_ptr<DummyProofVerifierCallback> callback( |
| 298 new DummyProofVerifierCallback); | 301 new DummyProofVerifierCallback); |
| 299 QuicAsyncStatus status = proof_verifier.VerifyProof( | 302 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 300 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), | 303 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 301 verify_context_.get(), &error_details_, &details_, callback.get()); | 304 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 305 callback.get()); |
| 302 ASSERT_EQ(QUIC_SUCCESS, status); | 306 ASSERT_EQ(QUIC_SUCCESS, status); |
| 303 | 307 |
| 304 ASSERT_TRUE(details_.get()); | 308 ASSERT_TRUE(details_.get()); |
| 305 ProofVerifyDetailsChromium* verify_details = | 309 ProofVerifyDetailsChromium* verify_details = |
| 306 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 310 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 307 EXPECT_EQ(dummy_result.cert_status, | 311 EXPECT_EQ(dummy_result.cert_status, |
| 308 verify_details->cert_verify_result.cert_status); | 312 verify_details->cert_verify_result.cert_status); |
| 309 } | 313 } |
| 310 | 314 |
| 311 // Tests that the certificate policy enforcer is consulted for EV | 315 // Tests that the certificate policy enforcer is consulted for EV |
| (...skipping 10 matching lines...) Expand all Loading... |
| 322 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 326 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 323 | 327 |
| 324 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); | 328 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); |
| 325 | 329 |
| 326 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 330 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 327 nullptr, ct_verifier_.get()); | 331 nullptr, ct_verifier_.get()); |
| 328 | 332 |
| 329 scoped_ptr<DummyProofVerifierCallback> callback( | 333 scoped_ptr<DummyProofVerifierCallback> callback( |
| 330 new DummyProofVerifierCallback); | 334 new DummyProofVerifierCallback); |
| 331 QuicAsyncStatus status = proof_verifier.VerifyProof( | 335 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 332 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), | 336 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 333 verify_context_.get(), &error_details_, &details_, callback.get()); | 337 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 338 callback.get()); |
| 334 ASSERT_EQ(QUIC_SUCCESS, status); | 339 ASSERT_EQ(QUIC_SUCCESS, status); |
| 335 | 340 |
| 336 ASSERT_TRUE(details_.get()); | 341 ASSERT_TRUE(details_.get()); |
| 337 ProofVerifyDetailsChromium* verify_details = | 342 ProofVerifyDetailsChromium* verify_details = |
| 338 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 343 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 339 EXPECT_EQ(dummy_result.cert_status, | 344 EXPECT_EQ(dummy_result.cert_status, |
| 340 verify_details->cert_verify_result.cert_status); | 345 verify_details->cert_verify_result.cert_status); |
| 341 } | 346 } |
| 342 | 347 |
| 343 // Tests that the certificate policy enforcer is consulted for EV | 348 // Tests that the certificate policy enforcer is consulted for EV |
| (...skipping 10 matching lines...) Expand all Loading... |
| 354 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 359 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 355 | 360 |
| 356 MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/); | 361 MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/); |
| 357 | 362 |
| 358 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 363 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 359 nullptr, ct_verifier_.get()); | 364 nullptr, ct_verifier_.get()); |
| 360 | 365 |
| 361 scoped_ptr<DummyProofVerifierCallback> callback( | 366 scoped_ptr<DummyProofVerifierCallback> callback( |
| 362 new DummyProofVerifierCallback); | 367 new DummyProofVerifierCallback); |
| 363 QuicAsyncStatus status = proof_verifier.VerifyProof( | 368 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 364 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), | 369 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 365 verify_context_.get(), &error_details_, &details_, callback.get()); | 370 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 371 callback.get()); |
| 366 ASSERT_EQ(QUIC_SUCCESS, status); | 372 ASSERT_EQ(QUIC_SUCCESS, status); |
| 367 | 373 |
| 368 ASSERT_TRUE(details_.get()); | 374 ASSERT_TRUE(details_.get()); |
| 369 ProofVerifyDetailsChromium* verify_details = | 375 ProofVerifyDetailsChromium* verify_details = |
| 370 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 376 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 371 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, | 377 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, |
| 372 verify_details->cert_verify_result.cert_status & | 378 verify_details->cert_verify_result.cert_status & |
| 373 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); | 379 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); |
| 374 } | 380 } |
| 375 | 381 |
| (...skipping 11 matching lines...) Expand all Loading... |
| 387 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 393 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 388 | 394 |
| 389 FailsTestCTPolicyEnforcer policy_enforcer; | 395 FailsTestCTPolicyEnforcer policy_enforcer; |
| 390 | 396 |
| 391 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 397 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 392 nullptr, ct_verifier_.get()); | 398 nullptr, ct_verifier_.get()); |
| 393 | 399 |
| 394 scoped_ptr<DummyProofVerifierCallback> callback( | 400 scoped_ptr<DummyProofVerifierCallback> callback( |
| 395 new DummyProofVerifierCallback); | 401 new DummyProofVerifierCallback); |
| 396 QuicAsyncStatus status = proof_verifier.VerifyProof( | 402 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 397 kTestHostname, kTestConfig, certs_, "", GetTestSignature(), | 403 kTestHostname, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 398 verify_context_.get(), &error_details_, &details_, callback.get()); | 404 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 405 callback.get()); |
| 399 ASSERT_EQ(QUIC_SUCCESS, status); | 406 ASSERT_EQ(QUIC_SUCCESS, status); |
| 400 | 407 |
| 401 ASSERT_TRUE(details_.get()); | 408 ASSERT_TRUE(details_.get()); |
| 402 ProofVerifyDetailsChromium* verify_details = | 409 ProofVerifyDetailsChromium* verify_details = |
| 403 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 410 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 404 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 411 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
| 405 } | 412 } |
| 406 | 413 |
| 407 } // namespace test | 414 } // namespace test |
| 408 } // namespace net | 415 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1753933002:
Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@115244730