| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/files/file_path.h" | 5 #include "base/files/file_path.h" |
| 6 #include "net/base/ip_endpoint.h" | 6 #include "net/base/ip_endpoint.h" |
| 7 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
| 8 #include "net/base/test_completion_callback.h" | 8 #include "net/base/test_completion_callback.h" |
| 9 #include "net/base/test_data_directory.h" | 9 #include "net/base/test_data_directory.h" |
| 10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 50 TestCompletionCallback* const comp_callback_; | 50 TestCompletionCallback* const comp_callback_; |
| 51 bool* const ok_; | 51 bool* const ok_; |
| 52 string* const error_details_; | 52 string* const error_details_; |
| 53 }; | 53 }; |
| 54 | 54 |
| 55 // RunVerification runs |verifier->VerifyProof| and asserts that the result | 55 // RunVerification runs |verifier->VerifyProof| and asserts that the result |
| 56 // matches |expected_ok|. | 56 // matches |expected_ok|. |
| 57 void RunVerification(ProofVerifier* verifier, | 57 void RunVerification(ProofVerifier* verifier, |
| 58 const string& hostname, | 58 const string& hostname, |
| 59 const string& server_config, | 59 const string& server_config, |
| 60 QuicVersion quic_version, |
| 61 StringPiece chlo_hash, |
| 60 const vector<string>& certs, | 62 const vector<string>& certs, |
| 61 const string& proof, | 63 const string& proof, |
| 62 bool expected_ok) { | 64 bool expected_ok) { |
| 63 scoped_ptr<ProofVerifyDetails> details; | 65 scoped_ptr<ProofVerifyDetails> details; |
| 64 TestCompletionCallback comp_callback; | 66 TestCompletionCallback comp_callback; |
| 65 bool ok; | 67 bool ok; |
| 66 string error_details; | 68 string error_details; |
| 67 scoped_ptr<ProofVerifyContext> verify_context( | 69 scoped_ptr<ProofVerifyContext> verify_context( |
| 68 CryptoTestUtils::ProofVerifyContextForTesting()); | 70 CryptoTestUtils::ProofVerifyContextForTesting()); |
| 69 TestProofVerifierCallback* callback = | 71 TestProofVerifierCallback* callback = |
| 70 new TestProofVerifierCallback(&comp_callback, &ok, &error_details); | 72 new TestProofVerifierCallback(&comp_callback, &ok, &error_details); |
| 71 | 73 |
| 72 QuicAsyncStatus status = verifier->VerifyProof( | 74 QuicAsyncStatus status = verifier->VerifyProof( |
| 73 hostname, server_config, certs, "", proof, verify_context.get(), | 75 hostname, server_config, quic_version, chlo_hash, certs, "", proof, |
| 74 &error_details, &details, callback); | 76 verify_context.get(), &error_details, &details, callback); |
| 75 | 77 |
| 76 switch (status) { | 78 switch (status) { |
| 77 case QUIC_FAILURE: | 79 case QUIC_FAILURE: |
| 78 delete callback; | 80 delete callback; |
| 79 ASSERT_FALSE(expected_ok); | 81 ASSERT_FALSE(expected_ok); |
| 80 ASSERT_NE("", error_details); | 82 ASSERT_NE("", error_details); |
| 81 return; | 83 return; |
| 82 case QUIC_SUCCESS: | 84 case QUIC_SUCCESS: |
| 83 delete callback; | 85 delete callback; |
| 84 ASSERT_TRUE(expected_ok); | 86 ASSERT_TRUE(expected_ok); |
| (...skipping 12 matching lines...) Expand all Loading... |
| 97 base::FilePath certs_dir = GetTestCertsDirectory(); | 99 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 98 scoped_refptr<X509Certificate> cert = | 100 scoped_refptr<X509Certificate> cert = |
| 99 ImportCertFromFile(certs_dir, "quic_" + file_name); | 101 ImportCertFromFile(certs_dir, "quic_" + file_name); |
| 100 CHECK_NE(static_cast<X509Certificate*>(nullptr), cert.get()); | 102 CHECK_NE(static_cast<X509Certificate*>(nullptr), cert.get()); |
| 101 | 103 |
| 102 string der_bytes; | 104 string der_bytes; |
| 103 CHECK(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes)); | 105 CHECK(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes)); |
| 104 return der_bytes; | 106 return der_bytes; |
| 105 } | 107 } |
| 106 | 108 |
| 109 class ProofTest : public ::testing::TestWithParam<QuicVersion> {}; |
| 110 |
| 107 } // namespace | 111 } // namespace |
| 108 | 112 |
| 113 INSTANTIATE_TEST_CASE_P(QuicVersion, |
| 114 ProofTest, |
| 115 ::testing::ValuesIn(QuicSupportedVersions())); |
| 116 |
| 109 // TODO(rtenneti): Enable testing of ProofVerifier. See http://crbug.com/514468. | 117 // TODO(rtenneti): Enable testing of ProofVerifier. See http://crbug.com/514468. |
| 110 TEST(ProofTest, DISABLED_Verify) { | 118 TEST_P(ProofTest, DISABLED_Verify) { |
| 111 scoped_ptr<ProofSource> source(CryptoTestUtils::ProofSourceForTesting()); | 119 scoped_ptr<ProofSource> source(CryptoTestUtils::ProofSourceForTesting()); |
| 112 scoped_ptr<ProofVerifier> verifier( | 120 scoped_ptr<ProofVerifier> verifier( |
| 113 CryptoTestUtils::ProofVerifierForTesting()); | 121 CryptoTestUtils::ProofVerifierForTesting()); |
| 114 | 122 |
| 115 const string server_config = "server config bytes"; | 123 const string server_config = "server config bytes"; |
| 116 const string hostname = "test.example.com"; | 124 const string hostname = "test.example.com"; |
| 125 const string first_chlo_hash = "first chlo hash bytes"; |
| 126 const string second_chlo_hash = "first chlo hash bytes"; |
| 127 const QuicVersion quic_version = GetParam(); |
| 117 scoped_refptr<ProofSource::Chain> chain; | 128 scoped_refptr<ProofSource::Chain> chain; |
| 118 scoped_refptr<ProofSource::Chain> first_chain; | 129 scoped_refptr<ProofSource::Chain> first_chain; |
| 119 string error_details, signature, first_signature, first_cert_sct, cert_sct; | 130 string error_details, signature, first_signature, first_cert_sct, cert_sct; |
| 120 IPAddress server_ip; | 131 IPAddress server_ip; |
| 121 | 132 |
| 122 ASSERT_TRUE(source->GetProof(server_ip, hostname, server_config, | 133 ASSERT_TRUE(source->GetProof( |
| 123 false /* no ECDSA */, &first_chain, | 134 server_ip, hostname, server_config, quic_version, first_chlo_hash, |
| 124 &first_signature, &first_cert_sct)); | 135 false /* no ECDSA */, &first_chain, &first_signature, &first_cert_sct)); |
| 125 ASSERT_TRUE(source->GetProof(server_ip, hostname, server_config, | 136 ASSERT_TRUE(source->GetProof(server_ip, hostname, server_config, quic_version, |
| 126 false /* no ECDSA */, &chain, &signature, | 137 second_chlo_hash, false /* no ECDSA */, &chain, |
| 127 &cert_sct)); | 138 &signature, &cert_sct)); |
| 128 | 139 |
| 129 // Check that the proof source is caching correctly: | 140 // Check that the proof source is caching correctly: |
| 130 ASSERT_EQ(first_chain->certs, chain->certs); | 141 ASSERT_EQ(first_chain->certs, chain->certs); |
| 131 ASSERT_EQ(signature, first_signature); | 142 if (GetParam() < QUIC_VERSION_31) { |
| 143 ASSERT_EQ(signature, first_signature); |
| 144 } else { |
| 145 // QUIC 31 includes the CHLO hash. |
| 146 ASSERT_NE(signature, first_signature); |
| 147 } |
| 132 ASSERT_EQ(first_cert_sct, cert_sct); | 148 ASSERT_EQ(first_cert_sct, cert_sct); |
| 133 | 149 |
| 134 RunVerification(verifier.get(), hostname, server_config, chain->certs, | 150 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 135 signature, true); | 151 first_chlo_hash, chain->certs, signature, true); |
| 136 | 152 |
| 137 RunVerification(verifier.get(), "foo.com", server_config, chain->certs, | 153 RunVerification(verifier.get(), "foo.com", server_config, quic_version, |
| 154 first_chlo_hash, chain->certs, signature, false); |
| 155 |
| 156 RunVerification(verifier.get(), server_config.substr(1, string::npos), |
| 157 server_config, quic_version, first_chlo_hash, chain->certs, |
| 138 signature, false); | 158 signature, false); |
| 139 | 159 |
| 140 RunVerification(verifier.get(), server_config.substr(1, string::npos), | |
| 141 server_config, chain->certs, signature, false); | |
| 142 | |
| 143 const string corrupt_signature = "1" + signature; | 160 const string corrupt_signature = "1" + signature; |
| 144 RunVerification(verifier.get(), hostname, server_config, chain->certs, | 161 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 145 corrupt_signature, false); | 162 first_chlo_hash, chain->certs, corrupt_signature, false); |
| 146 | 163 |
| 147 vector<string> wrong_certs; | 164 vector<string> wrong_certs; |
| 148 for (size_t i = 1; i < chain->certs.size(); i++) { | 165 for (size_t i = 1; i < chain->certs.size(); i++) { |
| 149 wrong_certs.push_back(chain->certs[i]); | 166 wrong_certs.push_back(chain->certs[i]); |
| 150 } | 167 } |
| 151 RunVerification(verifier.get(), "foo.com", server_config, wrong_certs, | 168 RunVerification(verifier.get(), "foo.com", server_config, quic_version, |
| 152 corrupt_signature, false); | 169 first_chlo_hash, wrong_certs, corrupt_signature, false); |
| 153 } | 170 } |
| 154 | 171 |
| 155 TEST(ProofTest, UseAfterFree) { | 172 TEST_P(ProofTest, UseAfterFree) { |
| 156 ProofSource* source = CryptoTestUtils::ProofSourceForTesting(); | 173 ProofSource* source = CryptoTestUtils::ProofSourceForTesting(); |
| 157 | 174 |
| 158 const string server_config = "server config bytes"; | 175 const string server_config = "server config bytes"; |
| 159 const string hostname = "test.example.com"; | 176 const string hostname = "test.example.com"; |
| 177 const string chlo_hash = "proof nonce bytes"; |
| 160 scoped_refptr<ProofSource::Chain> chain; | 178 scoped_refptr<ProofSource::Chain> chain; |
| 161 string error_details, signature, cert_sct; | 179 string error_details, signature, cert_sct; |
| 162 IPAddress server_ip; | 180 IPAddress server_ip; |
| 163 | 181 |
| 164 ASSERT_TRUE(source->GetProof(server_ip, hostname, server_config, | 182 ASSERT_TRUE(source->GetProof(server_ip, hostname, server_config, GetParam(), |
| 165 false /* no ECDSA */, &chain, &signature, | 183 chlo_hash, false /* no ECDSA */, &chain, |
| 166 &cert_sct)); | 184 &signature, &cert_sct)); |
| 167 | 185 |
| 168 // Make sure we can safely access results after deleting where they came from. | 186 // Make sure we can safely access results after deleting where they came from. |
| 169 EXPECT_FALSE(chain->HasOneRef()); | 187 EXPECT_FALSE(chain->HasOneRef()); |
| 170 delete source; | 188 delete source; |
| 171 EXPECT_TRUE(chain->HasOneRef()); | 189 EXPECT_TRUE(chain->HasOneRef()); |
| 172 | 190 |
| 173 EXPECT_FALSE(chain->certs.empty()); | 191 EXPECT_FALSE(chain->certs.empty()); |
| 174 for (const string& cert : chain->certs) { | 192 for (const string& cert : chain->certs) { |
| 175 EXPECT_FALSE(cert.empty()); | 193 EXPECT_FALSE(cert.empty()); |
| 176 } | 194 } |
| 177 } | 195 } |
| 178 | 196 |
| 179 // A known answer test that allows us to test ProofVerifier without a working | 197 // A known answer test that allows us to test ProofVerifier without a working |
| 180 // ProofSource. | 198 // ProofSource. |
| 181 TEST(ProofTest, VerifyRSAKnownAnswerTest) { | 199 TEST_P(ProofTest, VerifyRSAKnownAnswerTest) { |
| 200 if (GetParam() > QUIC_VERSION_30) { |
| 201 return; |
| 202 } |
| 182 // These sample signatures were generated by running the Proof.Verify test | 203 // These sample signatures were generated by running the Proof.Verify test |
| 183 // and dumping the bytes of the |signature| output of ProofSource::GetProof(). | 204 // and dumping the bytes of the |signature| output of ProofSource::GetProof(). |
| 184 static const unsigned char signature_data_0[] = { | 205 static const unsigned char signature_data_0[] = { |
| 185 0x31, 0xd5, 0xfb, 0x40, 0x30, 0x75, 0xd2, 0x7d, 0x61, 0xf9, 0xd7, 0x54, | 206 0x31, 0xd5, 0xfb, 0x40, 0x30, 0x75, 0xd2, 0x7d, 0x61, 0xf9, 0xd7, 0x54, |
| 186 0x30, 0x06, 0xaf, 0x54, 0x0d, 0xb0, 0x0a, 0xda, 0x63, 0xca, 0x7e, 0x9e, | 207 0x30, 0x06, 0xaf, 0x54, 0x0d, 0xb0, 0x0a, 0xda, 0x63, 0xca, 0x7e, 0x9e, |
| 187 0xce, 0xba, 0x10, 0x05, 0x1b, 0xa6, 0x7f, 0xef, 0x2b, 0xa3, 0xff, 0x3c, | 208 0xce, 0xba, 0x10, 0x05, 0x1b, 0xa6, 0x7f, 0xef, 0x2b, 0xa3, 0xff, 0x3c, |
| 188 0xbb, 0x9a, 0xe4, 0xbf, 0xb8, 0x0c, 0xc1, 0xbd, 0xed, 0xc2, 0x90, 0x68, | 209 0xbb, 0x9a, 0xe4, 0xbf, 0xb8, 0x0c, 0xc1, 0xbd, 0xed, 0xc2, 0x90, 0x68, |
| 189 0xeb, 0x45, 0x48, 0xea, 0x3c, 0x95, 0xf8, 0xa2, 0xb9, 0xe7, 0x62, 0x29, | 210 0xeb, 0x45, 0x48, 0xea, 0x3c, 0x95, 0xf8, 0xa2, 0xb9, 0xe7, 0x62, 0x29, |
| 190 0x00, 0xc3, 0x18, 0xb4, 0x16, 0x6f, 0x5e, 0xb0, 0xc1, 0x26, 0xc0, 0x4b, | 211 0x00, 0xc3, 0x18, 0xb4, 0x16, 0x6f, 0x5e, 0xb0, 0xc1, 0x26, 0xc0, 0x4b, |
| 191 0x84, 0xf5, 0x97, 0xfc, 0x17, 0xf9, 0x1c, 0x43, 0xb8, 0xf2, 0x3f, 0x38, | 212 0x84, 0xf5, 0x97, 0xfc, 0x17, 0xf9, 0x1c, 0x43, 0xb8, 0xf2, 0x3f, 0x38, |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 252 0xdc, 0xc5, 0x56, 0x84, 0x8a, 0x31, 0x31, 0x23, 0x61, 0x94, 0x7e, 0x01, | 273 0xdc, 0xc5, 0x56, 0x84, 0x8a, 0x31, 0x31, 0x23, 0x61, 0x94, 0x7e, 0x01, |
| 253 0x22, 0x49, 0xf3, 0xcb, 0x0e, 0x31, 0x03, 0x04, 0x1b, 0x14, 0x43, 0x7c, | 274 0x22, 0x49, 0xf3, 0xcb, 0x0e, 0x31, 0x03, 0x04, 0x1b, 0x14, 0x43, 0x7c, |
| 254 0xad, 0x42, 0xe5, 0x55, | 275 0xad, 0x42, 0xe5, 0x55, |
| 255 }; | 276 }; |
| 256 | 277 |
| 257 scoped_ptr<ProofVerifier> verifier( | 278 scoped_ptr<ProofVerifier> verifier( |
| 258 CryptoTestUtils::RealProofVerifierForTesting()); | 279 CryptoTestUtils::RealProofVerifierForTesting()); |
| 259 | 280 |
| 260 const string server_config = "server config bytes"; | 281 const string server_config = "server config bytes"; |
| 261 const string hostname = "test.example.com"; | 282 const string hostname = "test.example.com"; |
| 283 const string chlo_hash = "proof nonce bytes"; |
| 284 const QuicVersion quic_version = GetParam(); |
| 262 | 285 |
| 263 vector<string> certs(2); | 286 vector<string> certs(2); |
| 264 certs[0] = LoadTestCert("test.example.com.crt"); | 287 certs[0] = LoadTestCert("test.example.com.crt"); |
| 265 certs[1] = LoadTestCert("intermediate.crt"); | 288 certs[1] = LoadTestCert("intermediate.crt"); |
| 266 | 289 |
| 267 // Signatures are nondeterministic, so we test multiple signatures on the | 290 // Signatures are nondeterministic, so we test multiple signatures on the |
| 268 // same server_config. | 291 // same server_config. |
| 269 vector<string> signatures(3); | 292 vector<string> signatures(3); |
| 270 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), | 293 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), |
| 271 sizeof(signature_data_0)); | 294 sizeof(signature_data_0)); |
| 272 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), | 295 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), |
| 273 sizeof(signature_data_1)); | 296 sizeof(signature_data_1)); |
| 274 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), | 297 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), |
| 275 sizeof(signature_data_2)); | 298 sizeof(signature_data_2)); |
| 276 | 299 |
| 277 for (size_t i = 0; i < signatures.size(); i++) { | 300 for (size_t i = 0; i < signatures.size(); i++) { |
| 278 const string& signature = signatures[i]; | 301 const string& signature = signatures[i]; |
| 279 | 302 |
| 280 RunVerification(verifier.get(), hostname, server_config, certs, signature, | 303 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 281 true); | 304 chlo_hash, certs, signature, true); |
| 282 RunVerification(verifier.get(), "foo.com", server_config, certs, signature, | 305 RunVerification(verifier.get(), "foo.com", server_config, quic_version, |
| 283 false); | 306 chlo_hash, certs, signature, false); |
| 284 RunVerification(verifier.get(), hostname, | 307 RunVerification(verifier.get(), hostname, |
| 285 server_config.substr(1, string::npos), certs, signature, | 308 server_config.substr(1, string::npos), quic_version, |
| 286 false); | 309 chlo_hash, certs, signature, false); |
| 287 | 310 |
| 288 const string corrupt_signature = "1" + signature; | 311 const string corrupt_signature = "1" + signature; |
| 289 RunVerification(verifier.get(), hostname, server_config, certs, | 312 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 290 corrupt_signature, false); | 313 chlo_hash, certs, corrupt_signature, false); |
| 291 | 314 |
| 292 vector<string> wrong_certs; | 315 vector<string> wrong_certs; |
| 293 for (size_t i = 1; i < certs.size(); i++) { | 316 for (size_t i = 1; i < certs.size(); i++) { |
| 294 wrong_certs.push_back(certs[i]); | 317 wrong_certs.push_back(certs[i]); |
| 295 } | 318 } |
| 296 RunVerification(verifier.get(), hostname, server_config, wrong_certs, | 319 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 297 signature, false); | 320 chlo_hash, wrong_certs, signature, false); |
| 298 } | 321 } |
| 299 } | 322 } |
| 300 | 323 |
| 301 // A known answer test that allows us to test ProofVerifier without a working | 324 // A known answer test that allows us to test ProofVerifier without a working |
| 302 // ProofSource. | 325 // ProofSource. |
| 303 TEST(ProofTest, VerifyECDSAKnownAnswerTest) { | 326 TEST_P(ProofTest, VerifyECDSAKnownAnswerTest) { |
| 327 if (GetParam() > QUIC_VERSION_30) { |
| 328 return; |
| 329 } |
| 330 // These sample signatures were generated by running the Proof.Verify test |
| 331 // (modified to use ECDSA for signing proofs) and dumping the bytes of the |
| 332 // |signature| output of ProofSource::GetProof(). |
| 333 |
| 304 // Disable this test on platforms that do not support ECDSA certificates. | 334 // Disable this test on platforms that do not support ECDSA certificates. |
| 305 #if defined(OS_WIN) | 335 #if defined(OS_WIN) |
| 306 if (base::win::GetVersion() < base::win::VERSION_VISTA) | 336 if (base::win::GetVersion() < base::win::VERSION_VISTA) |
| 307 return; | 337 return; |
| 308 #endif | 338 #endif |
| 309 | 339 |
| 310 // These sample signatures were generated by running the Proof.Verify test | 340 // These sample signatures were generated by running the Proof.Verify test |
| 311 // (modified to use ECDSA for signing proofs) and dumping the bytes of the | 341 // (modified to use ECDSA for signing proofs) and dumping the bytes of the |
| 312 // |signature| output of ProofSource::GetProof(). | 342 // |signature| output of ProofSource::GetProof(). |
| 313 static const unsigned char signature_data_0[] = { | 343 static const unsigned char signature_data_0[] = { |
| (...skipping 19 matching lines...) Expand all Loading... |
| 333 0x02, 0x21, 0x00, 0xc6, 0x20, 0xd4, 0x28, 0xf9, 0x70, 0xb5, 0xb4, 0xff, | 363 0x02, 0x21, 0x00, 0xc6, 0x20, 0xd4, 0x28, 0xf9, 0x70, 0xb5, 0xb4, 0xff, |
| 334 0x4a, 0x35, 0xba, 0xa0, 0xf2, 0x8e, 0x00, 0xf7, 0xcb, 0x43, 0xaf, 0x2d, | 364 0x4a, 0x35, 0xba, 0xa0, 0xf2, 0x8e, 0x00, 0xf7, 0xcb, 0x43, 0xaf, 0x2d, |
| 335 0x1f, 0xce, 0x92, 0x05, 0xca, 0x29, 0xfe, 0xd2, 0x8f, 0xd9, 0x31, | 365 0x1f, 0xce, 0x92, 0x05, 0xca, 0x29, 0xfe, 0xd2, 0x8f, 0xd9, 0x31, |
| 336 }; | 366 }; |
| 337 | 367 |
| 338 scoped_ptr<ProofVerifier> verifier( | 368 scoped_ptr<ProofVerifier> verifier( |
| 339 CryptoTestUtils::RealProofVerifierForTesting()); | 369 CryptoTestUtils::RealProofVerifierForTesting()); |
| 340 | 370 |
| 341 const string server_config = "server config bytes"; | 371 const string server_config = "server config bytes"; |
| 342 const string hostname = "test.example.com"; | 372 const string hostname = "test.example.com"; |
| 373 const string chlo_hash = "chlo_hash nonce bytes"; |
| 374 const QuicVersion quic_version = GetParam(); |
| 343 | 375 |
| 344 vector<string> certs(2); | 376 vector<string> certs(2); |
| 345 certs[0] = LoadTestCert("test_ecc.example.com.crt"); | 377 certs[0] = LoadTestCert("test_ecc.example.com.crt"); |
| 346 certs[1] = LoadTestCert("intermediate.crt"); | 378 certs[1] = LoadTestCert("intermediate.crt"); |
| 347 | 379 |
| 348 // Signatures are nondeterministic, so we test multiple signatures on the | 380 // Signatures are nondeterministic, so we test multiple signatures on the |
| 349 // same server_config. | 381 // same server_config. |
| 350 vector<string> signatures(3); | 382 vector<string> signatures(3); |
| 351 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), | 383 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), |
| 352 sizeof(signature_data_0)); | 384 sizeof(signature_data_0)); |
| 353 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), | 385 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), |
| 354 sizeof(signature_data_1)); | 386 sizeof(signature_data_1)); |
| 355 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), | 387 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), |
| 356 sizeof(signature_data_2)); | 388 sizeof(signature_data_2)); |
| 357 | 389 |
| 358 for (size_t i = 0; i < signatures.size(); i++) { | 390 for (size_t i = 0; i < signatures.size(); i++) { |
| 391 LOG(ERROR) << "====================" << i << "======================"; |
| 359 const string& signature = signatures[i]; | 392 const string& signature = signatures[i]; |
| 360 | 393 |
| 361 RunVerification(verifier.get(), hostname, server_config, certs, signature, | 394 LOG(ERROR) << "=================== expect ok ====================="; |
| 362 true); | 395 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 363 RunVerification(verifier.get(), "foo.com", server_config, certs, signature, | 396 chlo_hash, certs, signature, true); |
| 364 false); | 397 LOG(ERROR) << "=================== hose_name = foo.com ============="; |
| 398 RunVerification(verifier.get(), "foo.com", server_config, quic_version, |
| 399 chlo_hash, certs, signature, false); |
| 400 LOG(ERROR) << "================== server_config ===================="; |
| 365 RunVerification(verifier.get(), hostname, | 401 RunVerification(verifier.get(), hostname, |
| 366 server_config.substr(1, string::npos), certs, signature, | 402 server_config.substr(1, string::npos), quic_version, |
| 367 false); | 403 chlo_hash, certs, signature, false); |
| 368 | 404 |
| 369 // An ECDSA signature is DER-encoded. Corrupt the last byte so that the | 405 // An ECDSA signature is DER-encoded. Corrupt the last byte so that the |
| 370 // signature can still be DER-decoded correctly. | 406 // signature can still be DER-decoded correctly. |
| 371 string corrupt_signature = signature; | 407 string corrupt_signature = signature; |
| 372 corrupt_signature[corrupt_signature.size() - 1] += 1; | 408 corrupt_signature[corrupt_signature.size() - 1] += 1; |
| 373 RunVerification(verifier.get(), hostname, server_config, certs, | 409 LOG(ERROR) << "================= corrupt signature ======================="; |
| 374 corrupt_signature, false); | 410 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 411 chlo_hash, certs, corrupt_signature, false); |
| 375 | 412 |
| 376 // Prepending a "1" makes the DER invalid. | 413 // Prepending a "1" makes the DER invalid. |
| 377 const string bad_der_signature1 = "1" + signature; | 414 const string bad_der_signature1 = "1" + signature; |
| 378 RunVerification(verifier.get(), hostname, server_config, certs, | 415 LOG(ERROR) << "=========================bad der signature ==============="; |
| 379 bad_der_signature1, false); | 416 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 417 chlo_hash, certs, bad_der_signature1, false); |
| 380 | 418 |
| 381 vector<string> wrong_certs; | 419 vector<string> wrong_certs; |
| 382 for (size_t i = 1; i < certs.size(); i++) { | 420 for (size_t i = 1; i < certs.size(); i++) { |
| 383 wrong_certs.push_back(certs[i]); | 421 wrong_certs.push_back(certs[i]); |
| 384 } | 422 } |
| 385 RunVerification(verifier.get(), hostname, server_config, wrong_certs, | 423 LOG(ERROR) << "==================== wrong certs ========================="; |
| 386 signature, false); | 424 RunVerification(verifier.get(), hostname, server_config, quic_version, |
| 425 chlo_hash, wrong_certs, signature, false); |
| 387 } | 426 } |
| 388 } | 427 } |
| 389 | 428 |
| 390 } // namespace test | 429 } // namespace test |
| 391 } // namespace net | 430 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1765603002:
Add QUIC 31 in which the server's proof covers both the static server config as well as a hash of t… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master