Index: net/quic/crypto/proof_verifier_chromium_test.cc |
diff --git a/net/quic/crypto/proof_verifier_chromium_test.cc b/net/quic/crypto/proof_verifier_chromium_test.cc |
index 267a2f9d499641e002475a01b138f77ea66d90c6..d86747da3f4ef32966bee9af9f7df56c0c6d925b 100644 |
--- a/net/quic/crypto/proof_verifier_chromium_test.cc |
+++ b/net/quic/crypto/proof_verifier_chromium_test.cc |
@@ -409,5 +409,89 @@ TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { |
EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
} |
+HashValueVector MakeHashValueVector(uint8_t tag) { |
+ HashValue hash(HASH_VALUE_SHA256); |
+ memset(hash.data(), tag, hash.size()); |
+ HashValueVector hashes; |
+ hashes.push_back(hash); |
+ return hashes; |
+} |
+ |
+// Test that PKP is enforced for certificates that chain up to known roots |
estark
2016/06/07 04:10:43
So the pinning check is supposed to fail here, rig
estark
2016/06/07 04:10:43
also, nit (sorry): add a period
Believe it or not,
dadrian
2016/06/07 17:48:23
Done.
dadrian
2016/06/07 17:48:23
Effectively, this is only exposed through strings:
|
+TEST_F(ProofVerifierChromiumTest, PKPEnforced) { |
+ scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
+ ASSERT_TRUE(test_cert); |
+ |
+ CertVerifyResult dummy_result; |
+ dummy_result.verified_cert = test_cert; |
+ dummy_result.is_issued_by_known_root = true; |
+ dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
+ dummy_result.cert_status = 0; |
+ |
+ MockCertVerifier dummy_verifier; |
+ dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
+ |
+ HashValueVector pin_hashes = MakeHashValueVector(0x02); |
+ TransportSecurityState transport_security_state; |
+ transport_security_state.AddHPKP( |
+ kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
+ true, pin_hashes, GURL()); |
+ |
+ ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
+ &transport_security_state, nullptr); |
+ |
+ std::unique_ptr<DummyProofVerifierCallback> callback( |
+ new DummyProofVerifierCallback); |
+ QuicAsyncStatus status = proof_verifier.VerifyProof( |
+ kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
+ GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
+ callback.get()); |
+ ASSERT_EQ(QUIC_FAILURE, status); |
+ |
+ ASSERT_TRUE(details_.get()); |
+ ProofVerifyDetailsChromium* verify_details = |
+ static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
+ EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
+ EXPECT_NE("", verify_details->pinning_failure_log); |
estark
2016/06/07 04:10:43
Perhaps check that |pkp_bypassed| is false too.
dadrian
2016/06/07 17:48:23
Done.
|
+} |
+ |
+// Test CERT_STATUS_PKP_BYPASSED is set when PKP is bypassed due to a local |
svaldez
2016/06/07 14:12:48
Name.
dadrian
2016/06/07 17:48:23
Done.
|
+// trust anchor |
+TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { |
+ scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
+ ASSERT_TRUE(test_cert); |
+ |
+ CertVerifyResult dummy_result; |
+ dummy_result.verified_cert = test_cert; |
+ dummy_result.is_issued_by_known_root = false; |
+ dummy_result.public_key_hashes = MakeHashValueVector(0x01); |
+ dummy_result.cert_status = 0; |
+ |
+ MockCertVerifier dummy_verifier; |
+ dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
+ |
+ HashValueVector expected_hashes = MakeHashValueVector(0x02); |
+ TransportSecurityState transport_security_state_fail; |
+ transport_security_state_fail.AddHPKP( |
+ kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
+ true, expected_hashes, GURL()); |
+ |
+ ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, |
+ &transport_security_state_fail, nullptr); |
+ |
+ std::unique_ptr<DummyProofVerifierCallback> callback( |
+ new DummyProofVerifierCallback); |
+ QuicAsyncStatus status = proof_verifier.VerifyProof( |
+ kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
+ GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
+ callback.get()); |
+ ASSERT_EQ(QUIC_SUCCESS, status); |
+ |
+ ASSERT_TRUE(details_.get()); |
+ ProofVerifyDetailsChromium* verify_details = |
+ static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
+ EXPECT_TRUE(verify_details->cert_verify_result.pkp_bypassed); |
+} |
+ |
} // namespace test |
} // namespace net |