Chromium Code Reviews Chromium Code Reviews
Issue 2016143002:
Expose when PKP is bypassed in SSLInfo. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 3272 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3283 EXPECT_TRUE(sock_->IsConnected()); | 3283 EXPECT_TRUE(sock_->IsConnected()); |
| 3284 | 3284 |
| 3285 SSLInfo ssl_info; | 3285 SSLInfo ssl_info; |
| 3286 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | 3286 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3287 EXPECT_TRUE(ssl_info.client_cert_sent); | 3287 EXPECT_TRUE(ssl_info.client_cert_sent); |
| 3288 | 3288 |
| 3289 sock_->Disconnect(); | 3289 sock_->Disconnect(); |
| 3290 EXPECT_FALSE(sock_->IsConnected()); | 3290 EXPECT_FALSE(sock_->IsConnected()); |
| 3291 } | 3291 } |
| 3292 | 3292 |
| 3293 const char kExpectedPin[] = "00000000000000000000000000000000"; | |
| 3294 const char kBadPin[] = "11111111111111111111111111111111"; | |
| 3295 | |
| 3296 HashValueVector MakeHashValueVector(const std::string& pin) { | |
| 3297 HashValueVector out; | |
| 3298 SHA256HashValue hash; | |
| 3299 memcpy(hash.data, pin.data(), 32); | |
| 3300 out.push_back(HashValue(hash)); | |
| 3301 return out; | |
| 3302 } | |
| 3303 | |
| 3304 // Test that CERT_STATUS_PKP_BYPASSED is set when a local trust anchor causes | |
| 3305 // pinning to be bypassed. | |
| 3306 TEST_F(SSLClientSocketTest, CertStatusPKPBypassed) { | |
|
svaldez
2016/05/27 18:27:44
Possibly add a test to make sure that the connecti
dadrian
2016/05/27 22:03:16
Done.
| |
| 3307 SpawnedTestServer::SSLOptions ssl_options; | |
| 3308 ASSERT_TRUE(StartTestServer(ssl_options)); | |
| 3309 scoped_refptr<X509Certificate> server_cert = | |
| 3310 spawned_test_server()->GetCertificate(); | |
| 3311 | |
| 3312 // The certificate needs to be trusted, but chain to a local root with | |
| 3313 // different public key hashes than specified in the pin. | |
| 3314 CertVerifyResult verify_result; | |
| 3315 verify_result.is_issued_by_known_root = false; | |
| 3316 verify_result.verified_cert = server_cert; | |
| 3317 verify_result.public_key_hashes = MakeHashValueVector(kBadPin); | |
| 3318 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); | |
| 3319 | |
| 3320 // Set up HPKP | |
| 3321 HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin); | |
| 3322 context_.transport_security_state->AddHPKP( | |
| 3323 spawned_test_server()->host_port_pair().host(), | |
| 3324 base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, | |
| 3325 expected_hashes, GURL()); | |
| 3326 | |
| 3327 SSLConfig ssl_config; | |
| 3328 int rv; | |
| 3329 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 3330 SSLInfo ssl_info; | |
| 3331 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | |
| 3332 | |
| 3333 EXPECT_EQ(OK, rv); | |
| 3334 EXPECT_TRUE(sock_->IsConnected()); | |
| 3335 | |
| 3336 EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PKP_BYPASSED); | |
| 3337 } | |
| 3338 | |
| 3293 } // namespace net | 3339 } // namespace net |
| OLD | NEW |
