Index: net/socket/ssl_client_socket_unittest.cc |
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc |
index 8bad8a66a2a3926ab8c767e2cf50b73ebec1dfc7..7751ed845ce58219cc76fc1cbfcd41bf30089a31 100644 |
--- a/net/socket/ssl_client_socket_unittest.cc |
+++ b/net/socket/ssl_client_socket_unittest.cc |
@@ -3290,4 +3290,50 @@ TEST_F(SSLClientSocketTest, SendGoodCert) { |
EXPECT_FALSE(sock_->IsConnected()); |
} |
+const char kExpectedPin[] = "00000000000000000000000000000000"; |
+const char kBadPin[] = "11111111111111111111111111111111"; |
+ |
+HashValueVector MakeHashValueVector(const std::string& pin) { |
+ HashValueVector out; |
+ SHA256HashValue hash; |
+ memcpy(hash.data, pin.data(), 32); |
+ out.push_back(HashValue(hash)); |
+ return out; |
+} |
+ |
+// Test that CERT_STATUS_PKP_BYPASSED is set when a local trust anchor causes |
+// pinning to be bypassed. |
+TEST_F(SSLClientSocketTest, CertStatusPKPBypassed) { |
svaldez
2016/05/27 18:27:44
Possibly add a test to make sure that the connecti
dadrian
2016/05/27 22:03:16
Done.
|
+ SpawnedTestServer::SSLOptions ssl_options; |
+ ASSERT_TRUE(StartTestServer(ssl_options)); |
+ scoped_refptr<X509Certificate> server_cert = |
+ spawned_test_server()->GetCertificate(); |
+ |
+ // The certificate needs to be trusted, but chain to a local root with |
+ // different public key hashes than specified in the pin. |
+ CertVerifyResult verify_result; |
+ verify_result.is_issued_by_known_root = false; |
+ verify_result.verified_cert = server_cert; |
+ verify_result.public_key_hashes = MakeHashValueVector(kBadPin); |
+ cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); |
+ |
+ // Set up HPKP |
+ HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin); |
+ context_.transport_security_state->AddHPKP( |
+ spawned_test_server()->host_port_pair().host(), |
+ base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, |
+ expected_hashes, GURL()); |
+ |
+ SSLConfig ssl_config; |
+ int rv; |
+ ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
+ SSLInfo ssl_info; |
+ ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
+ |
+ EXPECT_EQ(OK, rv); |
+ EXPECT_TRUE(sock_->IsConnected()); |
+ |
+ EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PKP_BYPASSED); |
+} |
+ |
} // namespace net |