OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
8 #include "net/base/net_errors.h" | 8 #include "net/base/net_errors.h" |
9 #include "net/base/test_data_directory.h" | 9 #include "net/base/test_data_directory.h" |
10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
(...skipping 391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
403 callback.get()); | 403 callback.get()); |
404 ASSERT_EQ(QUIC_SUCCESS, status); | 404 ASSERT_EQ(QUIC_SUCCESS, status); |
405 | 405 |
406 ASSERT_TRUE(details_.get()); | 406 ASSERT_TRUE(details_.get()); |
407 ProofVerifyDetailsChromium* verify_details = | 407 ProofVerifyDetailsChromium* verify_details = |
408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
410 } | 410 } |
411 | 411 |
| 412 HashValueVector MakeHashValueVector(uint8_t tag) { |
| 413 HashValue hash(HASH_VALUE_SHA256); |
| 414 memset(hash.data(), tag, hash.size()); |
| 415 HashValueVector hashes; |
| 416 hashes.push_back(hash); |
| 417 return hashes; |
| 418 } |
| 419 |
| 420 // Test that PKP is enforced for certificates that chain up to known roots. |
| 421 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { |
| 422 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 423 ASSERT_TRUE(test_cert); |
| 424 |
| 425 CertVerifyResult dummy_result; |
| 426 dummy_result.verified_cert = test_cert; |
| 427 dummy_result.is_issued_by_known_root = true; |
| 428 dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
| 429 dummy_result.cert_status = 0; |
| 430 |
| 431 MockCertVerifier dummy_verifier; |
| 432 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 433 |
| 434 HashValueVector pin_hashes = MakeHashValueVector(0x02); |
| 435 TransportSecurityState transport_security_state; |
| 436 transport_security_state.AddHPKP( |
| 437 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| 438 true, pin_hashes, GURL()); |
| 439 |
| 440 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
| 441 &transport_security_state, nullptr); |
| 442 |
| 443 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 444 new DummyProofVerifierCallback); |
| 445 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 446 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 447 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 448 callback.get()); |
| 449 ASSERT_EQ(QUIC_FAILURE, status); |
| 450 |
| 451 ASSERT_TRUE(details_.get()); |
| 452 ProofVerifyDetailsChromium* verify_details = |
| 453 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 454 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
| 455 EXPECT_FALSE(verify_details->pkp_bypassed); |
| 456 EXPECT_NE("", verify_details->pinning_failure_log); |
| 457 } |
| 458 |
| 459 // Test |pkp_bypassed| is set when PKP is bypassed due to a local |
| 460 // trust anchor |
| 461 TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { |
| 462 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 463 ASSERT_TRUE(test_cert); |
| 464 |
| 465 CertVerifyResult dummy_result; |
| 466 dummy_result.verified_cert = test_cert; |
| 467 dummy_result.is_issued_by_known_root = false; |
| 468 dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
| 469 dummy_result.cert_status = 0; |
| 470 |
| 471 MockCertVerifier dummy_verifier; |
| 472 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 473 |
| 474 HashValueVector expected_hashes = MakeHashValueVector(0x02); |
| 475 TransportSecurityState transport_security_state_fail; |
| 476 transport_security_state_fail.AddHPKP( |
| 477 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| 478 true, expected_hashes, GURL()); |
| 479 |
| 480 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
| 481 &transport_security_state_fail, nullptr); |
| 482 |
| 483 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 484 new DummyProofVerifierCallback); |
| 485 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 486 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 487 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 488 callback.get()); |
| 489 ASSERT_EQ(QUIC_SUCCESS, status); |
| 490 |
| 491 ASSERT_TRUE(details_.get()); |
| 492 ProofVerifyDetailsChromium* verify_details = |
| 493 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 494 EXPECT_TRUE(verify_details->pkp_bypassed); |
| 495 } |
| 496 |
412 } // namespace test | 497 } // namespace test |
413 } // namespace net | 498 } // namespace net |
OLD | NEW |