OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
8 #include "net/base/net_errors.h" | 8 #include "net/base/net_errors.h" |
9 #include "net/base/test_data_directory.h" | 9 #include "net/base/test_data_directory.h" |
10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
(...skipping 391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 402 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
403 callback.get()); | 403 callback.get()); |
404 ASSERT_EQ(QUIC_SUCCESS, status); | 404 ASSERT_EQ(QUIC_SUCCESS, status); |
405 | 405 |
406 ASSERT_TRUE(details_.get()); | 406 ASSERT_TRUE(details_.get()); |
407 ProofVerifyDetailsChromium* verify_details = | 407 ProofVerifyDetailsChromium* verify_details = |
408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 408 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 409 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
410 } | 410 } |
411 | 411 |
412 HashValueVector MakeHashValueVector(uint8_t tag) { | |
413 HashValue hash(HASH_VALUE_SHA256); | |
414 memset(hash.data(), tag, hash.size()); | |
415 HashValueVector hashes; | |
416 hashes.push_back(hash); | |
417 return hashes; | |
418 } | |
419 | |
420 // Test that PKP is enforced for certificates that chain up to known roots | |
estark
2016/06/07 04:10:43
So the pinning check is supposed to fail here, rig
estark
2016/06/07 04:10:43
also, nit (sorry): add a period
Believe it or not,
dadrian
2016/06/07 17:48:23
Done.
dadrian
2016/06/07 17:48:23
Effectively, this is only exposed through strings:
| |
421 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { | |
422 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
423 ASSERT_TRUE(test_cert); | |
424 | |
425 CertVerifyResult dummy_result; | |
426 dummy_result.verified_cert = test_cert; | |
427 dummy_result.is_issued_by_known_root = true; | |
428 dummy_result.public_key_hashes = MakeHashValueVector(0x01); | |
429 dummy_result.cert_status = 0; | |
430 | |
431 MockCertVerifier dummy_verifier; | |
432 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
433 | |
434 HashValueVector pin_hashes = MakeHashValueVector(0x02); | |
435 TransportSecurityState transport_security_state; | |
436 transport_security_state.AddHPKP( | |
437 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | |
438 true, pin_hashes, GURL()); | |
439 | |
440 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | |
441 &transport_security_state, nullptr); | |
442 | |
443 std::unique_ptr<DummyProofVerifierCallback> callback( | |
444 new DummyProofVerifierCallback); | |
445 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
446 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | |
447 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | |
448 callback.get()); | |
449 ASSERT_EQ(QUIC_FAILURE, status); | |
450 | |
451 ASSERT_TRUE(details_.get()); | |
452 ProofVerifyDetailsChromium* verify_details = | |
453 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
454 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
455 EXPECT_NE("", verify_details->pinning_failure_log); | |
estark
2016/06/07 04:10:43
Perhaps check that |pkp_bypassed| is false too.
dadrian
2016/06/07 17:48:23
Done.
| |
456 } | |
457 | |
458 // Test CERT_STATUS_PKP_BYPASSED is set when PKP is bypassed due to a local | |
svaldez
2016/06/07 14:12:48
Name.
dadrian
2016/06/07 17:48:23
Done.
| |
459 // trust anchor | |
460 TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { | |
461 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
462 ASSERT_TRUE(test_cert); | |
463 | |
464 CertVerifyResult dummy_result; | |
465 dummy_result.verified_cert = test_cert; | |
466 dummy_result.is_issued_by_known_root = false; | |
467 dummy_result.public_key_hashes = MakeHashValueVector(0x01); | |
468 dummy_result.cert_status = 0; | |
469 | |
470 MockCertVerifier dummy_verifier; | |
471 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
472 | |
473 HashValueVector expected_hashes = MakeHashValueVector(0x02); | |
474 TransportSecurityState transport_security_state_fail; | |
475 transport_security_state_fail.AddHPKP( | |
476 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | |
477 true, expected_hashes, GURL()); | |
478 | |
479 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | |
480 &transport_security_state_fail, nullptr); | |
481 | |
482 std::unique_ptr<DummyProofVerifierCallback> callback( | |
483 new DummyProofVerifierCallback); | |
484 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
485 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | |
486 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | |
487 callback.get()); | |
488 ASSERT_EQ(QUIC_SUCCESS, status); | |
489 | |
490 ASSERT_TRUE(details_.get()); | |
491 ProofVerifyDetailsChromium* verify_details = | |
492 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
493 EXPECT_TRUE(verify_details->cert_verify_result.pkp_bypassed); | |
494 } | |
495 | |
412 } // namespace test | 496 } // namespace test |
413 } // namespace net | 497 } // namespace net |
OLD | NEW |