OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <utility> | 10 #include <utility> |
(...skipping 3242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3253 EXPECT_TRUE(sock_->IsConnected()); | 3253 EXPECT_TRUE(sock_->IsConnected()); |
3254 | 3254 |
3255 SSLInfo ssl_info; | 3255 SSLInfo ssl_info; |
3256 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | 3256 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
3257 EXPECT_TRUE(ssl_info.client_cert_sent); | 3257 EXPECT_TRUE(ssl_info.client_cert_sent); |
3258 | 3258 |
3259 sock_->Disconnect(); | 3259 sock_->Disconnect(); |
3260 EXPECT_FALSE(sock_->IsConnected()); | 3260 EXPECT_FALSE(sock_->IsConnected()); |
3261 } | 3261 } |
3262 | 3262 |
| 3263 const char kExpectedPin[] = "00000000000000000000000000000000"; |
| 3264 const char kBadPin[] = "11111111111111111111111111111111"; |
| 3265 |
| 3266 HashValueVector MakeHashValueVector(const std::string& pin) { |
| 3267 HashValueVector out; |
| 3268 SHA256HashValue hash; |
| 3269 memcpy(hash.data, pin.data(), 32); |
| 3270 out.push_back(HashValue(hash)); |
| 3271 return out; |
| 3272 } |
| 3273 |
| 3274 // Test that |ssl_info.pkp_bypassed| is set when a local trust anchor causes |
| 3275 // pinning to be bypassed. |
| 3276 TEST_F(SSLClientSocketTest, PKPBypassedSet) { |
| 3277 SpawnedTestServer::SSLOptions ssl_options; |
| 3278 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 3279 scoped_refptr<X509Certificate> server_cert = |
| 3280 spawned_test_server()->GetCertificate(); |
| 3281 |
| 3282 // The certificate needs to be trusted, but chain to a local root with |
| 3283 // different public key hashes than specified in the pin. |
| 3284 CertVerifyResult verify_result; |
| 3285 verify_result.is_issued_by_known_root = false; |
| 3286 verify_result.verified_cert = server_cert; |
| 3287 verify_result.public_key_hashes = MakeHashValueVector(kBadPin); |
| 3288 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); |
| 3289 |
| 3290 // Set up HPKP |
| 3291 HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin); |
| 3292 context_.transport_security_state->AddHPKP( |
| 3293 spawned_test_server()->host_port_pair().host(), |
| 3294 base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, |
| 3295 expected_hashes, GURL()); |
| 3296 |
| 3297 SSLConfig ssl_config; |
| 3298 int rv; |
| 3299 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3300 SSLInfo ssl_info; |
| 3301 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3302 |
| 3303 EXPECT_EQ(OK, rv); |
| 3304 EXPECT_TRUE(sock_->IsConnected()); |
| 3305 |
| 3306 EXPECT_TRUE(ssl_info.pkp_bypassed); |
| 3307 } |
| 3308 |
| 3309 TEST_F(SSLClientSocketTest, PKPEnforced) { |
| 3310 SpawnedTestServer::SSLOptions ssl_options; |
| 3311 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 3312 scoped_refptr<X509Certificate> server_cert = |
| 3313 spawned_test_server()->GetCertificate(); |
| 3314 |
| 3315 // Certificate is trusted, but chains to a public root that doesn't match the |
| 3316 // pin hashes. |
| 3317 CertVerifyResult verify_result; |
| 3318 verify_result.is_issued_by_known_root = true; |
| 3319 verify_result.verified_cert = server_cert; |
| 3320 verify_result.public_key_hashes = MakeHashValueVector(kBadPin); |
| 3321 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); |
| 3322 |
| 3323 // Set up HPKP |
| 3324 HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin); |
| 3325 context_.transport_security_state->AddHPKP( |
| 3326 spawned_test_server()->host_port_pair().host(), |
| 3327 base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, |
| 3328 expected_hashes, GURL()); |
| 3329 |
| 3330 SSLConfig ssl_config; |
| 3331 int rv; |
| 3332 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3333 SSLInfo ssl_info; |
| 3334 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3335 |
| 3336 EXPECT_EQ(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, rv); |
| 3337 EXPECT_TRUE(sock_->IsConnected()); |
| 3338 |
| 3339 EXPECT_FALSE(ssl_info.pkp_bypassed); |
| 3340 } |
| 3341 |
3263 } // namespace net | 3342 } // namespace net |
OLD | NEW |