Chromium Code Reviews Chromium Code Reviews
Issue 2016143002:
Expose when PKP is bypassed in SSLInfo. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/quic/crypto/proof_verifier_chromium_test.cc |
| diff --git a/net/quic/crypto/proof_verifier_chromium_test.cc b/net/quic/crypto/proof_verifier_chromium_test.cc |
| index 267a2f9d499641e002475a01b138f77ea66d90c6..90366834de4c2cd2a4fc3453397fe8a2fd9b098d 100644 |
| --- a/net/quic/crypto/proof_verifier_chromium_test.cc |
| +++ b/net/quic/crypto/proof_verifier_chromium_test.cc |
| @@ -409,5 +409,90 @@ TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { |
| EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
| } |
| +HashValueVector MakeHashValueVector(uint8_t tag) { |
|
Ryan Sleevi
2016/06/09 19:17:32
NAMING: This is confusing with HashValueTag (which
|
| + HashValue hash(HASH_VALUE_SHA256); |
| + memset(hash.data(), tag, hash.size()); |
| + HashValueVector hashes; |
| + hashes.push_back(hash); |
| + return hashes; |
| +} |
| + |
| +// Test that PKP is enforced for certificates that chain up to known roots. |
| +TEST_F(ProofVerifierChromiumTest, PKPEnforced) { |
| + scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| + ASSERT_TRUE(test_cert); |
| + |
| + CertVerifyResult dummy_result; |
| + dummy_result.verified_cert = test_cert; |
| + dummy_result.is_issued_by_known_root = true; |
| + dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
| + dummy_result.cert_status = 0; |
| + |
| + MockCertVerifier dummy_verifier; |
| + dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| + |
| + HashValueVector pin_hashes = MakeHashValueVector(0x02); |
| + TransportSecurityState transport_security_state; |
| + transport_security_state.AddHPKP( |
| + kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| + true, pin_hashes, GURL()); |
| + |
| + ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
| + &transport_security_state, nullptr); |
| + |
| + std::unique_ptr<DummyProofVerifierCallback> callback( |
| + new DummyProofVerifierCallback); |
| + QuicAsyncStatus status = proof_verifier.VerifyProof( |
| + kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| + GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| + callback.get()); |
| + ASSERT_EQ(QUIC_FAILURE, status); |
| + |
| + ASSERT_TRUE(details_.get()); |
| + ProofVerifyDetailsChromium* verify_details = |
| + static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| + EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
| + EXPECT_FALSE(verify_details->cert_verify_result.pkp_bypassed); |
| + EXPECT_NE("", verify_details->pinning_failure_log); |
| +} |
| + |
| +// Test |pkp_bypassed| is set when PKP is bypassed due to a local |
| +// trust anchor |
| +TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { |
| + scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| + ASSERT_TRUE(test_cert); |
| + |
| + CertVerifyResult dummy_result; |
| + dummy_result.verified_cert = test_cert; |
| + dummy_result.is_issued_by_known_root = false; |
| + dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
| + dummy_result.cert_status = 0; |
| + |
| + MockCertVerifier dummy_verifier; |
| + dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| + |
| + HashValueVector expected_hashes = MakeHashValueVector(0x02); |
| + TransportSecurityState transport_security_state_fail; |
| + transport_security_state_fail.AddHPKP( |
| + kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| + true, expected_hashes, GURL()); |
| + |
| + ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
| + &transport_security_state_fail, nullptr); |
| + |
| + std::unique_ptr<DummyProofVerifierCallback> callback( |
| + new DummyProofVerifierCallback); |
| + QuicAsyncStatus status = proof_verifier.VerifyProof( |
| + kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| + GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| + callback.get()); |
| + ASSERT_EQ(QUIC_SUCCESS, status); |
| + |
| + ASSERT_TRUE(details_.get()); |
| + ProofVerifyDetailsChromium* verify_details = |
| + static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| + EXPECT_TRUE(verify_details->cert_verify_result.pkp_bypassed); |
| +} |
| + |
| } // namespace test |
| } // namespace net |
