net/quic/crypto/proof_verifier_chromium_test.cc - Issue 2016143002: Expose when PKP is bypassed in SSLInfo.

Side by Side Diff: net/quic/crypto/proof_verifier_chromium_test.cc

Issue 2016143002: Expose when PKP is bypassed in SSLInfo. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Add pkp_bypassed to SSLInfo Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/quic/crypto/proof_verifier_chromium.h"	5 #include "net/quic/crypto/proof_verifier_chromium.h"

6	6

7 #include "base/memory/ref_counted.h"	7 #include "base/memory/ref_counted.h"

8 #include "net/base/net_errors.h"	8 #include "net/base/net_errors.h"

9 #include "net/base/test_data_directory.h"	9 #include "net/base/test_data_directory.h"

10 #include "net/cert/cert_status_flags.h"	10 #include "net/cert/cert_status_flags.h"

(...skipping 391 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
402 GetTestSignature(), verify_context_.get(), &error_details_, &details_,	402 GetTestSignature(), verify_context_.get(), &error_details_, &details_,

403 callback.get());	403 callback.get());

404 ASSERT_EQ(QUIC_SUCCESS, status);	404 ASSERT_EQ(QUIC_SUCCESS, status);

405	405

406 ASSERT_TRUE(details_.get());	406 ASSERT_TRUE(details_.get());

407 ProofVerifyDetailsChromium* verify_details =	407 ProofVerifyDetailsChromium* verify_details =

408 static_cast<ProofVerifyDetailsChromium*>(details_.get());	408 static_cast<ProofVerifyDetailsChromium*>(details_.get());

409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);	409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);

410 }	410 }

411	411

	412 HashValueVector MakeHashValueVector(uint8_t tag) {

	413 HashValue hash(HASH_VALUE_SHA256);

	414 memset(hash.data(), tag, hash.size());

	415 HashValueVector hashes;

	416 hashes.push_back(hash);

	417 return hashes;

	418 }

	419

	420 // Test that PKP is enforced for certificates that chain up to known roots
	estark 2016/06/07 04:10:43 So the pinning check is supposed to fail here, rig So the pinning check is supposed to fail here, right? Is there any more specific way to test for that other than just QUIC_FAILURE? estark 2016/06/07 04:10:43 also, nit (sorry): add a period Believe it or not, also, nit (sorry): add a period Believe it or not, it's actually in the style guide: https://google.github.io/styleguide/cppguide.html#Punctuation,_Spelling_and_G... dadrian 2016/06/07 17:48:23 Done. Show quoted text On 2016/06/07 04:10:43, estark wrote: > also, nit (sorry): add a period > Believe it or not, it's actually in the style guide: > https://google.github.io/styleguide/cppguide.html#Punctuation,_Spelling_and_G... Done. dadrian 2016/06/07 17:48:23 Effectively, this is only exposed through strings: Show quoted text On 2016/06/07 04:10:43, estark wrote: > So the pinning check is supposed to fail here, right? Is there any more specific > way to test for that other than just QUIC_FAILURE? Effectively, this is only exposed through strings: the \|error_details_\| string, and the \|pinning_failure_log\| in VerifyDetailsChromium. I do check that the \|pinning_failure_log\| is non-empty, but I'm not sure we can do much better than that, beyond grepping through \|error_details_\| for ERR_SSL_PINNED_KEY_NOT_IN_CHAIN.
	421 TEST_F(ProofVerifierChromiumTest, PKPEnforced) {

	422 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();

	423 ASSERT_TRUE(test_cert);

	424

	425 CertVerifyResult dummy_result;

	426 dummy_result.verified_cert = test_cert;

	427 dummy_result.is_issued_by_known_root = true;

	428 dummy_result.public_key_hashes = MakeHashValueVector(0x01);

	429 dummy_result.cert_status = 0;

	430

	431 MockCertVerifier dummy_verifier;

	432 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);

	433

	434 HashValueVector pin_hashes = MakeHashValueVector(0x02);

	435 TransportSecurityState transport_security_state;

	436 transport_security_state.AddHPKP(

	437 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),

	438 true, pin_hashes, GURL());

	439

	440 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr,

	441 &transport_security_state, nullptr);

	442

	443 std::unique_ptr<DummyProofVerifierCallback> callback(

	444 new DummyProofVerifierCallback);

	445 QuicAsyncStatus status = proof_verifier.VerifyProof(

	446 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",

	447 GetTestSignature(), verify_context_.get(), &error_details_, &details_,

	448 callback.get());

	449 ASSERT_EQ(QUIC_FAILURE, status);

	450

	451 ASSERT_TRUE(details_.get());

	452 ProofVerifyDetailsChromium* verify_details =

	453 static_cast<ProofVerifyDetailsChromium*>(details_.get());

	454 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);

	455 EXPECT_NE("", verify_details->pinning_failure_log);
	estark 2016/06/07 04:10:43 Perhaps check that \|pkp_bypassed\| is false too. Perhaps check that \|pkp_bypassed\| is false too. dadrian 2016/06/07 17:48:23 Done. Show quoted text On 2016/06/07 04:10:43, estark wrote: > Perhaps check that \|pkp_bypassed\| is false too. Done.
	456 }

	457

	458 // Test CERT_STATUS_PKP_BYPASSED is set when PKP is bypassed due to a local
	svaldez 2016/06/07 14:12:48 Name. Name. dadrian 2016/06/07 17:48:23 Done. Show quoted text On 2016/06/07 14:12:48, svaldez wrote: > Name. Done.
	459 // trust anchor

	460 TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {

	461 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();

	462 ASSERT_TRUE(test_cert);

	463

	464 CertVerifyResult dummy_result;

	465 dummy_result.verified_cert = test_cert;

	466 dummy_result.is_issued_by_known_root = false;

	467 dummy_result.public_key_hashes = MakeHashValueVector(0x01);

	468 dummy_result.cert_status = 0;

	469

	470 MockCertVerifier dummy_verifier;

	471 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);

	472

	473 HashValueVector expected_hashes = MakeHashValueVector(0x02);

	474 TransportSecurityState transport_security_state_fail;

	475 transport_security_state_fail.AddHPKP(

	476 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),

	477 true, expected_hashes, GURL());

	478

	479 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr,

	480 &transport_security_state_fail, nullptr);

	481

	482 std::unique_ptr<DummyProofVerifierCallback> callback(

	483 new DummyProofVerifierCallback);

	484 QuicAsyncStatus status = proof_verifier.VerifyProof(

	485 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",

	486 GetTestSignature(), verify_context_.get(), &error_details_, &details_,

	487 callback.get());

	488 ASSERT_EQ(QUIC_SUCCESS, status);

	489

	490 ASSERT_TRUE(details_.get());

	491 ProofVerifyDetailsChromium* verify_details =

	492 static_cast<ProofVerifyDetailsChromium*>(details_.get());

	493 EXPECT_TRUE(verify_details->cert_verify_result.pkp_bypassed);

	494 }

	495

412 } // namespace test	496 } // namespace test

413 } // namespace net	497 } // namespace net

OLD	NEW