| Index: net/socket/ssl_client_socket_unittest.cc
|
| diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
|
| index 8bad8a66a2a3926ab8c767e2cf50b73ebec1dfc7..a23be3b832b886b8ae4116e373979cc4aac10646 100644
|
| --- a/net/socket/ssl_client_socket_unittest.cc
|
| +++ b/net/socket/ssl_client_socket_unittest.cc
|
| @@ -3290,4 +3290,83 @@ TEST_F(SSLClientSocketTest, SendGoodCert) {
|
| EXPECT_FALSE(sock_->IsConnected());
|
| }
|
|
|
| +const char kExpectedPin[] = "00000000000000000000000000000000";
|
| +const char kBadPin[] = "11111111111111111111111111111111";
|
| +
|
| +HashValueVector MakeHashValueVector(const std::string& pin) {
|
| + HashValueVector out;
|
| + SHA256HashValue hash;
|
| + memcpy(hash.data, pin.data(), 32);
|
| + out.push_back(HashValue(hash));
|
| + return out;
|
| +}
|
| +
|
| +// Test that CERT_STATUS_PKP_BYPASSED is set when a local trust anchor causes
|
| +// pinning to be bypassed.
|
| +TEST_F(SSLClientSocketTest, CertStatusPKPBypassed) {
|
| + SpawnedTestServer::SSLOptions ssl_options;
|
| + ASSERT_TRUE(StartTestServer(ssl_options));
|
| + scoped_refptr<X509Certificate> server_cert =
|
| + spawned_test_server()->GetCertificate();
|
| +
|
| + // The certificate needs to be trusted, but chain to a local root with
|
| + // different public key hashes than specified in the pin.
|
| + CertVerifyResult verify_result;
|
| + verify_result.is_issued_by_known_root = false;
|
| + verify_result.verified_cert = server_cert;
|
| + verify_result.public_key_hashes = MakeHashValueVector(kBadPin);
|
| + cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
|
| +
|
| + // Set up HPKP
|
| + HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin);
|
| + context_.transport_security_state->AddHPKP(
|
| + spawned_test_server()->host_port_pair().host(),
|
| + base::Time::Now() + base::TimeDelta::FromSeconds(10000), true,
|
| + expected_hashes, GURL());
|
| +
|
| + SSLConfig ssl_config;
|
| + int rv;
|
| + ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
|
| + SSLInfo ssl_info;
|
| + ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
|
| +
|
| + EXPECT_EQ(OK, rv);
|
| + EXPECT_TRUE(sock_->IsConnected());
|
| +
|
| + EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PKP_BYPASSED);
|
| +}
|
| +
|
| +TEST_F(SSLClientSocketTest, PKPEnforced) {
|
| + SpawnedTestServer::SSLOptions ssl_options;
|
| + ASSERT_TRUE(StartTestServer(ssl_options));
|
| + scoped_refptr<X509Certificate> server_cert =
|
| + spawned_test_server()->GetCertificate();
|
| +
|
| + // Certificate is trusted, but chains to a public root that doesn't match the
|
| + // pin hashes.
|
| + CertVerifyResult verify_result;
|
| + verify_result.is_issued_by_known_root = true;
|
| + verify_result.verified_cert = server_cert;
|
| + verify_result.public_key_hashes = MakeHashValueVector(kBadPin);
|
| + cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
|
| +
|
| + // Set up HPKP
|
| + HashValueVector expected_hashes = MakeHashValueVector(kExpectedPin);
|
| + context_.transport_security_state->AddHPKP(
|
| + spawned_test_server()->host_port_pair().host(),
|
| + base::Time::Now() + base::TimeDelta::FromSeconds(10000), true,
|
| + expected_hashes, GURL());
|
| +
|
| + SSLConfig ssl_config;
|
| + int rv;
|
| + ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
|
| + SSLInfo ssl_info;
|
| + ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
|
| +
|
| + EXPECT_EQ(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN, rv);
|
| + EXPECT_TRUE(sock_->IsConnected());
|
| +
|
| + EXPECT_FALSE(ssl_info.cert_status & CERT_STATUS_PKP_BYPASSED);
|
| +}
|
| +
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 2016143002:
Expose when PKP is bypassed in SSLInfo. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master