OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
8 #include "net/base/net_errors.h" | 8 #include "net/base/net_errors.h" |
9 #include "net/base/test_data_directory.h" | 9 #include "net/base/test_data_directory.h" |
10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
(...skipping 391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
403 callback.get()); | 403 callback.get()); |
404 ASSERT_EQ(QUIC_SUCCESS, status); | 404 ASSERT_EQ(QUIC_SUCCESS, status); |
405 | 405 |
406 ASSERT_TRUE(details_.get()); | 406 ASSERT_TRUE(details_.get()); |
407 ProofVerifyDetailsChromium* verify_details = | 407 ProofVerifyDetailsChromium* verify_details = |
408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
410 } | 410 } |
411 | 411 |
412 HashValueVector MakeHashValueVector(uint8_t tag) { | |
Ryan Sleevi
2016/06/09 19:17:32
NAMING: This is confusing with HashValueTag (which
| |
413 HashValue hash(HASH_VALUE_SHA256); | |
414 memset(hash.data(), tag, hash.size()); | |
415 HashValueVector hashes; | |
416 hashes.push_back(hash); | |
417 return hashes; | |
418 } | |
419 | |
420 // Test that PKP is enforced for certificates that chain up to known roots. | |
421 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { | |
422 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
423 ASSERT_TRUE(test_cert); | |
424 | |
425 CertVerifyResult dummy_result; | |
426 dummy_result.verified_cert = test_cert; | |
427 dummy_result.is_issued_by_known_root = true; | |
428 dummy_result.public_key_hashes = MakeHashValueVector(0x01); | |
429 dummy_result.cert_status = 0; | |
430 | |
431 MockCertVerifier dummy_verifier; | |
432 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
433 | |
434 HashValueVector pin_hashes = MakeHashValueVector(0x02); | |
435 TransportSecurityState transport_security_state; | |
436 transport_security_state.AddHPKP( | |
437 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | |
438 true, pin_hashes, GURL()); | |
439 | |
440 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | |
441 &transport_security_state, nullptr); | |
442 | |
443 std::unique_ptr<DummyProofVerifierCallback> callback( | |
444 new DummyProofVerifierCallback); | |
445 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
446 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | |
447 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | |
448 callback.get()); | |
449 ASSERT_EQ(QUIC_FAILURE, status); | |
450 | |
451 ASSERT_TRUE(details_.get()); | |
452 ProofVerifyDetailsChromium* verify_details = | |
453 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
454 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
455 EXPECT_FALSE(verify_details->cert_verify_result.pkp_bypassed); | |
456 EXPECT_NE("", verify_details->pinning_failure_log); | |
457 } | |
458 | |
459 // Test |pkp_bypassed| is set when PKP is bypassed due to a local | |
460 // trust anchor | |
461 TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { | |
462 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
463 ASSERT_TRUE(test_cert); | |
464 | |
465 CertVerifyResult dummy_result; | |
466 dummy_result.verified_cert = test_cert; | |
467 dummy_result.is_issued_by_known_root = false; | |
468 dummy_result.public_key_hashes = MakeHashValueVector(0x01); | |
469 dummy_result.cert_status = 0; | |
470 | |
471 MockCertVerifier dummy_verifier; | |
472 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
473 | |
474 HashValueVector expected_hashes = MakeHashValueVector(0x02); | |
475 TransportSecurityState transport_security_state_fail; | |
476 transport_security_state_fail.AddHPKP( | |
477 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | |
478 true, expected_hashes, GURL()); | |
479 | |
480 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | |
481 &transport_security_state_fail, nullptr); | |
482 | |
483 std::unique_ptr<DummyProofVerifierCallback> callback( | |
484 new DummyProofVerifierCallback); | |
485 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
486 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | |
487 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | |
488 callback.get()); | |
489 ASSERT_EQ(QUIC_SUCCESS, status); | |
490 | |
491 ASSERT_TRUE(details_.get()); | |
492 ProofVerifyDetailsChromium* verify_details = | |
493 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
494 EXPECT_TRUE(verify_details->cert_verify_result.pkp_bypassed); | |
495 } | |
496 | |
412 } // namespace test | 497 } // namespace test |
413 } // namespace net | 498 } // namespace net |
OLD | NEW |