Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(323)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_unittest.cc

Issue 2016143002: Expose when PKP is bypassed in SSLInfo. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Make CertVerifyResult Great Again. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/quic/crypto/proof_verifier_chromium.h ('K') | « net/socket/ssl_client_socket_impl.cc ('k') | net/spdy/spdy_session.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/ssl_client_socket.h" 5 #include "net/socket/ssl_client_socket.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <string.h> 8 #include <string.h>
9 9
10 #include <utility> 10 #include <utility>
(...skipping 3242 matching lines...) Expand 10 before | Expand all | Expand 10 after
3253 EXPECT_TRUE(sock_->IsConnected()); 3253 EXPECT_TRUE(sock_->IsConnected());
3254 3254
3255 SSLInfo ssl_info; 3255 SSLInfo ssl_info;
3256 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); 3256 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3257 EXPECT_TRUE(ssl_info.client_cert_sent); 3257 EXPECT_TRUE(ssl_info.client_cert_sent);
3258 3258
3259 sock_->Disconnect(); 3259 sock_->Disconnect();
3260 EXPECT_FALSE(sock_->IsConnected()); 3260 EXPECT_FALSE(sock_->IsConnected());
3261 } 3261 }
3262 3262
3263 HashValueVector MakeHashValueVector(uint8_t value) {
3264 HashValueVector out;
3265 HashValue hash(HASH_VALUE_SHA256);
3266 memset(hash.data(), value, hash.size());
3267 out.push_back(hash);
3268 return out;
3269 }
3270
3271 // Test that |ssl_info.pkp_bypassed| is set when a local trust anchor causes
3272 // pinning to be bypassed.
3273 TEST_F(SSLClientSocketTest, PKPBypassedSet) {
3274 SpawnedTestServer::SSLOptions ssl_options;
3275 ASSERT_TRUE(StartTestServer(ssl_options));
3276 scoped_refptr<X509Certificate> server_cert =
3277 spawned_test_server()->GetCertificate();
3278
3279 // The certificate needs to be trusted, but chain to a local root with
3280 // different public key hashes than specified in the pin.
3281 CertVerifyResult verify_result;
3282 verify_result.is_issued_by_known_root = false;
3283 verify_result.verified_cert = server_cert;
3284 verify_result.public_key_hashes = MakeHashValueVector(0);
3285 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3286
3287 // Set up HPKP
3288 HashValueVector expected_hashes = MakeHashValueVector(1);
3289 context_.transport_security_state->AddHPKP(
3290 spawned_test_server()->host_port_pair().host(),
3291 base::Time::Now() + base::TimeDelta::FromSeconds(10000), true,
3292 expected_hashes, GURL());
3293
3294 SSLConfig ssl_config;
3295 int rv;
3296 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3297 SSLInfo ssl_info;
3298 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3299
3300 EXPECT_EQ(OK, rv);
3301 EXPECT_TRUE(sock_->IsConnected());
3302
3303 EXPECT_TRUE(ssl_info.pkp_bypassed);
3304 }
3305
3306 TEST_F(SSLClientSocketTest, PKPEnforced) {
3307 SpawnedTestServer::SSLOptions ssl_options;
3308 ASSERT_TRUE(StartTestServer(ssl_options));
3309 scoped_refptr<X509Certificate> server_cert =
3310 spawned_test_server()->GetCertificate();
3311
3312 // Certificate is trusted, but chains to a public root that doesn't match the
3313 // pin hashes.
3314 CertVerifyResult verify_result;
3315 verify_result.is_issued_by_known_root = true;
3316 verify_result.verified_cert = server_cert;
3317 verify_result.public_key_hashes = MakeHashValueVector(0);
3318 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3319
3320 // Set up HPKP
3321 HashValueVector expected_hashes = MakeHashValueVector(1);
3322 context_.transport_security_state->AddHPKP(
3323 spawned_test_server()->host_port_pair().host(),
3324 base::Time::Now() + base::TimeDelta::FromSeconds(10000), true,
3325 expected_hashes, GURL());
3326
3327 SSLConfig ssl_config;
3328 int rv;
3329 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3330 SSLInfo ssl_info;
3331 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3332
3333 EXPECT_EQ(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, rv);
3334 EXPECT_TRUE(sock_->IsConnected());
3335
3336 EXPECT_FALSE(ssl_info.pkp_bypassed);
3337 }
3338
3263 } // namespace net 3339 } // namespace net
OLDNEW
« net/quic/crypto/proof_verifier_chromium.h ('K') | « net/socket/ssl_client_socket_impl.cc ('k') | net/spdy/spdy_session.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698