| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/base64.h" | 11 #include "base/base64.h" |
| 12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
| 13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
| 14 #include "base/rand_util.h" | 14 #include "base/rand_util.h" |
| 15 #include "base/sha1.h" | 15 #include "base/sha1.h" |
| 16 #include "base/strings/string_piece.h" | 16 #include "base/strings/string_piece.h" |
| 17 #include "base/test/histogram_tester.h" |
| 17 #include "base/values.h" | 18 #include "base/values.h" |
| 18 #include "crypto/sha2.h" | 19 #include "crypto/sha2.h" |
| 19 #include "net/base/host_port_pair.h" | 20 #include "net/base/host_port_pair.h" |
| 20 #include "net/base/net_errors.h" | 21 #include "net/base/net_errors.h" |
| 21 #include "net/base/test_completion_callback.h" | 22 #include "net/base/test_completion_callback.h" |
| 22 #include "net/base/test_data_directory.h" | 23 #include "net/base/test_data_directory.h" |
| 23 #include "net/cert/asn1_util.h" | 24 #include "net/cert/asn1_util.h" |
| 24 #include "net/cert/cert_verifier.h" | 25 #include "net/cert/cert_verifier.h" |
| 25 #include "net/cert/cert_verify_result.h" | 26 #include "net/cert/cert_verify_result.h" |
| 26 #include "net/cert/ct_policy_status.h" | 27 #include "net/cert/ct_policy_status.h" |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 83 : public TransportSecurityState::ReportSender { | 84 : public TransportSecurityState::ReportSender { |
| 84 public: | 85 public: |
| 85 MockCertificateReportSender() {} | 86 MockCertificateReportSender() {} |
| 86 ~MockCertificateReportSender() override {} | 87 ~MockCertificateReportSender() override {} |
| 87 | 88 |
| 88 void Send(const GURL& report_uri, const std::string& report) override { | 89 void Send(const GURL& report_uri, const std::string& report) override { |
| 89 latest_report_uri_ = report_uri; | 90 latest_report_uri_ = report_uri; |
| 90 latest_report_ = report; | 91 latest_report_ = report; |
| 91 } | 92 } |
| 92 | 93 |
| 94 void SetErrorCallback( |
| 95 const base::Callback<void(const GURL&, int)>& error_callback) override {} |
| 96 |
| 93 void Clear() { | 97 void Clear() { |
| 94 latest_report_uri_ = GURL(); | 98 latest_report_uri_ = GURL(); |
| 95 latest_report_ = std::string(); | 99 latest_report_ = std::string(); |
| 96 } | 100 } |
| 97 | 101 |
| 98 const GURL& latest_report_uri() { return latest_report_uri_; } | 102 const GURL& latest_report_uri() { return latest_report_uri_; } |
| 99 const std::string& latest_report() { return latest_report_; } | 103 const std::string& latest_report() { return latest_report_; } |
| 100 | 104 |
| 101 private: | 105 private: |
| 102 GURL latest_report_uri_; | 106 GURL latest_report_uri_; |
| 103 std::string latest_report_; | 107 std::string latest_report_; |
| 104 }; | 108 }; |
| 105 | 109 |
| 110 // A mock ReportSender that simulates a net error on every report sent. |
| 111 class MockFailingCertificateReportSender |
| 112 : public TransportSecurityState::ReportSender { |
| 113 public: |
| 114 MockFailingCertificateReportSender() : net_error_(ERR_CONNECTION_FAILED) {} |
| 115 ~MockFailingCertificateReportSender() override {} |
| 116 |
| 117 int net_error() { return net_error_; } |
| 118 |
| 119 // TransportSecurityState::ReportSender: |
| 120 void Send(const GURL& report_uri, const std::string& report) override { |
| 121 ASSERT_FALSE(error_callback_.is_null()); |
| 122 error_callback_.Run(report_uri, net_error_); |
| 123 } |
| 124 |
| 125 void SetErrorCallback( |
| 126 const base::Callback<void(const GURL&, int)>& error_callback) override { |
| 127 error_callback_ = error_callback; |
| 128 } |
| 129 |
| 130 private: |
| 131 const int net_error_; |
| 132 base::Callback<void(const GURL&, int)> error_callback_; |
| 133 }; |
| 134 |
| 106 // A mock ExpectCTReporter that remembers the latest violation that was | 135 // A mock ExpectCTReporter that remembers the latest violation that was |
| 107 // reported and the number of violations reported. | 136 // reported and the number of violations reported. |
| 108 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 137 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
| 109 public: | 138 public: |
| 110 MockExpectCTReporter() : num_failures_(0) {} | 139 MockExpectCTReporter() : num_failures_(0) {} |
| 111 ~MockExpectCTReporter() override {} | 140 ~MockExpectCTReporter() override {} |
| 112 | 141 |
| 113 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 142 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
| 114 const GURL& report_uri, | 143 const GURL& report_uri, |
| 115 const net::SSLInfo& ssl_info) override { | 144 const net::SSLInfo& ssl_info) override { |
| (...skipping 1156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1272 // Now a report should have been sent for the subdomain. Check that it | 1301 // Now a report should have been sent for the subdomain. Check that it |
| 1273 // contains the right information. | 1302 // contains the right information. |
| 1274 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); | 1303 EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
| 1275 report = mock_report_sender.latest_report(); | 1304 report = mock_report_sender.latest_report(); |
| 1276 ASSERT_FALSE(report.empty()); | 1305 ASSERT_FALSE(report.empty()); |
| 1277 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, | 1306 ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, |
| 1278 true, kHost, cert1.get(), cert2.get(), | 1307 true, kHost, cert1.get(), cert2.get(), |
| 1279 good_hashes)); | 1308 good_hashes)); |
| 1280 } | 1309 } |
| 1281 | 1310 |
| 1311 // Tests that a histogram entry is recorded when TransportSecurityState |
| 1312 // fails to send an HPKP violation report. |
| 1313 TEST_F(TransportSecurityStateTest, UMAOnHPKPReportingFailure) { |
| 1314 base::HistogramTester histograms; |
| 1315 const std::string histogram_name = "Net.PublicKeyPinReportSendingFailure"; |
| 1316 HostPortPair host_port_pair(kHost, kPort); |
| 1317 GURL report_uri(kReportUri); |
| 1318 // Two dummy certs to use as the server-sent and validated chains. The |
| 1319 // contents don't matter. |
| 1320 scoped_refptr<X509Certificate> cert1 = |
| 1321 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 1322 scoped_refptr<X509Certificate> cert2 = |
| 1323 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 1324 ASSERT_TRUE(cert1); |
| 1325 ASSERT_TRUE(cert2); |
| 1326 |
| 1327 HashValueVector good_hashes, bad_hashes; |
| 1328 |
| 1329 for (size_t i = 0; kGoodPath[i]; i++) |
| 1330 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 1331 for (size_t i = 0; kBadPath[i]; i++) |
| 1332 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 1333 |
| 1334 // The histogram should start off empty. |
| 1335 histograms.ExpectTotalCount(histogram_name, 0); |
| 1336 |
| 1337 TransportSecurityState state; |
| 1338 MockFailingCertificateReportSender mock_report_sender; |
| 1339 state.SetReportSender(&mock_report_sender); |
| 1340 |
| 1341 const base::Time current_time = base::Time::Now(); |
| 1342 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 1343 state.AddHPKP(kHost, expiry, true, good_hashes, report_uri); |
| 1344 |
| 1345 std::string failure_log; |
| 1346 EXPECT_FALSE(state.CheckPublicKeyPins( |
| 1347 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
| 1348 TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
| 1349 |
| 1350 // Check that the UMA histogram was updated when the report failed to |
| 1351 // send. |
| 1352 histograms.ExpectTotalCount(histogram_name, 1); |
| 1353 histograms.ExpectBucketCount(histogram_name, mock_report_sender.net_error(), |
| 1354 1); |
| 1355 } |
| 1356 |
| 1282 TEST_F(TransportSecurityStateTest, HPKPReportOnly) { | 1357 TEST_F(TransportSecurityStateTest, HPKPReportOnly) { |
| 1283 HostPortPair host_port_pair(kHost, kPort); | 1358 HostPortPair host_port_pair(kHost, kPort); |
| 1284 GURL report_uri(kReportUri); | 1359 GURL report_uri(kReportUri); |
| 1285 // Two dummy certs to use as the server-sent and validated chains. The | 1360 // Two dummy certs to use as the server-sent and validated chains. The |
| 1286 // contents don't matter. | 1361 // contents don't matter. |
| 1287 scoped_refptr<X509Certificate> cert1 = | 1362 scoped_refptr<X509Certificate> cert1 = |
| 1288 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 1363 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 1289 scoped_refptr<X509Certificate> cert2 = | 1364 scoped_refptr<X509Certificate> cert2 = |
| 1290 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 1365 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 1291 ASSERT_TRUE(cert1); | 1366 ASSERT_TRUE(cert1); |
| (...skipping 440 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1732 EXPECT_EQ(1u, reporter.num_failures()); | 1807 EXPECT_EQ(1u, reporter.num_failures()); |
| 1733 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1808 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
| 1734 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1809 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
| 1735 reporter.ssl_info().ct_cert_policy_compliance); | 1810 reporter.ssl_info().ct_cert_policy_compliance); |
| 1736 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1811 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
| 1737 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1812 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 1738 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1813 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 1739 } | 1814 } |
| 1740 | 1815 |
| 1741 } // namespace net | 1816 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1850853004:
Use CertificateReportSender error callback to record HPKP UMA metrics (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master