OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/base64.h" | 11 #include "base/base64.h" |
12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
14 #include "base/rand_util.h" | 14 #include "base/rand_util.h" |
15 #include "base/sha1.h" | 15 #include "base/sha1.h" |
16 #include "base/strings/string_piece.h" | 16 #include "base/strings/string_piece.h" |
17 #include "base/test/histogram_tester.h" | 17 #include "base/test/histogram_tester.h" |
18 #include "base/values.h" | 18 #include "base/values.h" |
19 #include "crypto/openssl_util.h" | 19 #include "crypto/openssl_util.h" |
20 #include "crypto/sha2.h" | 20 #include "crypto/sha2.h" |
21 #include "net/base/host_port_pair.h" | 21 #include "net/base/host_port_pair.h" |
22 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
23 #include "net/base/test_completion_callback.h" | 23 #include "net/base/test_completion_callback.h" |
24 #include "net/base/test_data_directory.h" | 24 #include "net/base/test_data_directory.h" |
25 #include "net/cert/asn1_util.h" | 25 #include "net/cert/asn1_util.h" |
26 #include "net/cert/cert_verifier.h" | 26 #include "net/cert/cert_verifier.h" |
27 #include "net/cert/cert_verify_result.h" | 27 #include "net/cert/cert_verify_result.h" |
28 #include "net/cert/ct_policy_status.h" | 28 #include "net/cert/ct_policy_status.h" |
29 #include "net/cert/expect_staple_report.h" | |
30 #include "net/cert/internal/test_helpers.h" | |
29 #include "net/cert/test_root_certs.h" | 31 #include "net/cert/test_root_certs.h" |
30 #include "net/cert/x509_cert_types.h" | 32 #include "net/cert/x509_cert_types.h" |
31 #include "net/cert/x509_certificate.h" | 33 #include "net/cert/x509_certificate.h" |
32 #include "net/http/http_util.h" | 34 #include "net/http/http_util.h" |
33 #include "net/log/net_log.h" | 35 #include "net/log/net_log.h" |
34 #include "net/ssl/ssl_info.h" | 36 #include "net/ssl/ssl_info.h" |
35 #include "net/test/cert_test_util.h" | 37 #include "net/test/cert_test_util.h" |
36 #include "testing/gtest/include/gtest/gtest.h" | 38 #include "testing/gtest/include/gtest/gtest.h" |
37 | 39 |
38 namespace net { | 40 namespace net { |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
71 const char* const kBadPath[] = { | 73 const char* const kBadPath[] = { |
72 "sha1/111111111111111111111111111=", | 74 "sha1/111111111111111111111111111=", |
73 "sha1/222222222222222222222222222=", | 75 "sha1/222222222222222222222222222=", |
74 "sha1/333333333333333333333333333=", | 76 "sha1/333333333333333333333333333=", |
75 "sha256/1111111111111111111111111111111111111111111=", | 77 "sha256/1111111111111111111111111111111111111111111=", |
76 "sha256/2222222222222222222222222222222222222222222=", | 78 "sha256/2222222222222222222222222222222222222222222=", |
77 "sha256/3333333333333333333333333333333333333333333=", | 79 "sha256/3333333333333333333333333333333333333333333=", |
78 nullptr, | 80 nullptr, |
79 }; | 81 }; |
80 | 82 |
81 // A mock ReportSenderInterface that just remembers the latest report | 83 const char kOCSPPathPrefix[] = "net/data/parse_ocsp_unittest/"; |
84 | |
85 const base::TimeDelta& kOCSPResponseMaxAge = base::TimeDelta::FromDays(3650); | |
86 | |
87 // A mock ReportSender that just remembers the latest report | |
82 // URI and report to be sent. | 88 // URI and report to be sent. |
83 class MockCertificateReportSender | 89 class MockCertificateReportSender |
84 : public TransportSecurityState::ReportSenderInterface { | 90 : public TransportSecurityState::ReportSenderInterface { |
85 public: | 91 public: |
86 MockCertificateReportSender() {} | 92 MockCertificateReportSender() {} |
87 ~MockCertificateReportSender() override {} | 93 ~MockCertificateReportSender() override {} |
88 | 94 |
89 void Send(const GURL& report_uri, const std::string& report) override { | 95 void Send(const GURL& report_uri, const std::string& report) override { |
90 latest_report_uri_ = report_uri; | 96 latest_report_uri_ = report_uri; |
91 latest_report_ = report; | 97 latest_report_ = report; |
(...skipping 1770 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1862 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 1868 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
1863 EXPECT_EQ(1u, reporter.num_failures()); | 1869 EXPECT_EQ(1u, reporter.num_failures()); |
1864 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1870 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
1865 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1871 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
1866 reporter.ssl_info().ct_cert_policy_compliance); | 1872 reporter.ssl_info().ct_cert_policy_compliance); |
1867 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1873 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
1868 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1874 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
1869 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1875 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
1870 } | 1876 } |
1871 | 1877 |
1878 class MockExpectStapleReportSender : public MockCertificateReportSender { | |
1879 public: | |
1880 bool ReportSent() { return latest_report() != ""; } | |
Ryan Sleevi
2016/06/16 21:49:30
return !latest_report().empty()
| |
1881 }; | |
1882 | |
1883 class ExpectStapleTest : public TransportSecurityStateTest { | |
1884 public: | |
1885 void SetUp() override { | |
Ryan Sleevi
2016/06/16 21:49:30
https://github.com/google/googletest/blob/master/g
| |
1886 TransportSecurityStateTest::SetUp(); | |
1887 security_state_.SetReportSender(&report_sender_); | |
1888 EnableStaticExpectStaple(&security_state_); | |
1889 verify_time_ = base::Time::Now(); | |
1890 } | |
1891 | |
1892 struct OCSPTest { | |
1893 std::string response; | |
1894 scoped_refptr<X509Certificate> certificate; | |
1895 }; | |
1896 | |
1897 static bool LoadOCSPFromFile(std::string file_name, OCSPTest* ocsp) { | |
Ryan Sleevi
2016/06/16 21:49:29
Why static?
dadrian
2016/06/17 17:26:55
Matching other tests, and this doesn't/shouldn't n
| |
1898 std::string ca_data; | |
1899 std::string cert_data; | |
1900 const PemBlockMapping mappings[] = { | |
1901 {"OCSP RESPONSE", &ocsp->response}, | |
1902 {"CA CERTIFICATE", &ca_data}, | |
1903 {"CERTIFICATE", &cert_data}, | |
1904 }; | |
1905 std::string full_path = std::string(kOCSPPathPrefix) + file_name; | |
1906 if (!ReadTestDataFromPemFile(full_path, mappings)) | |
1907 return false; | |
1908 | |
1909 // Parse the server certificate | |
1910 CertificateList server_cert_list = | |
1911 X509Certificate::CreateCertificateListFromBytes( | |
1912 cert_data.data(), cert_data.size(), | |
1913 X509Certificate::FORMAT_SINGLE_CERTIFICATE); | |
1914 ocsp->certificate = server_cert_list[0]; | |
1915 return true; | |
1916 } | |
1917 | |
1918 static void CheckExpectStapleReport( | |
Ryan Sleevi
2016/06/16 21:49:30
Why static?
| |
1919 const std::string& serialized_report, | |
1920 const HostPortPair& host_port, | |
1921 const X509Certificate& served_certificate_chain, | |
1922 bool is_issued_by_known_root, | |
1923 const ExpectStapleReport& report) { | |
1924 std::unique_ptr<base::Value> value( | |
1925 base::JSONReader::Read(serialized_report)); | |
1926 ASSERT_TRUE(value); | |
1927 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); | |
1928 | |
1929 base::DictionaryValue* report_dict; | |
1930 ASSERT_TRUE(value->GetAsDictionary(&report_dict)); | |
1931 std::string report_hostname; | |
1932 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); | |
1933 EXPECT_EQ(host_port.host(), report_hostname); | |
1934 int report_port; | |
1935 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); | |
1936 EXPECT_EQ(host_port.port(), report_port); | |
1937 | |
1938 // Check certificate chain. | |
1939 const base::ListValue* report_served_certificate_chain = nullptr; | |
1940 if (is_issued_by_known_root) { | |
1941 ASSERT_TRUE(report_dict->GetList("served-certificate-chain", | |
1942 &report_served_certificate_chain)); | |
1943 std::vector<std::string> pem_encoded_chain; | |
1944 served_certificate_chain.GetPEMEncodedChain(&pem_encoded_chain); | |
1945 ASSERT_EQ(pem_encoded_chain.size(), | |
1946 report_served_certificate_chain->GetSize()); | |
1947 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { | |
1948 std::string cert_pem; | |
1949 ASSERT_TRUE(report_served_certificate_chain->GetString(i, &cert_pem)); | |
1950 EXPECT_EQ(pem_encoded_chain[i], cert_pem); | |
1951 } | |
1952 } else { | |
1953 EXPECT_FALSE(report_dict->GetList("served-certificate-chain", | |
1954 &report_served_certificate_chain)); | |
1955 } | |
1956 | |
1957 // Check stapled responses. | |
1958 const base::ListValue* report_ocsp_responses = nullptr; | |
1959 ASSERT_TRUE(report_dict->GetList("ocsp-responses", &report_ocsp_responses)); | |
1960 const auto& ocsp_responses = report.stapled_responses(); | |
1961 ASSERT_EQ(ocsp_responses.size(), report_ocsp_responses->GetSize()); | |
1962 for (size_t i = 0; i < ocsp_responses.size(); i++) { | |
1963 const base::DictionaryValue* report_ocsp_response = nullptr; | |
1964 report_ocsp_responses->GetDictionary(i, &report_ocsp_response); | |
1965 bool is_date_valid; | |
1966 ASSERT_TRUE( | |
1967 report_ocsp_response->GetBoolean("is-date-valid", &is_date_valid)); | |
1968 EXPECT_EQ(ocsp_responses[i].is_date_valid, is_date_valid); | |
1969 bool is_correct_certificate; | |
1970 ASSERT_TRUE(report_ocsp_response->GetBoolean("is-correct-certificate", | |
1971 &is_correct_certificate)); | |
1972 EXPECT_EQ(ocsp_responses[i].is_correct_certificate, | |
1973 is_correct_certificate); | |
1974 } | |
1975 } | |
1976 | |
1977 protected: | |
1978 static bool SerializeExpectStapleReport( | |
Ryan Sleevi
2016/06/16 21:49:29
Why static?
| |
1979 const HostPortPair& host_port_pair, | |
1980 const X509Certificate& unverified_certificate, | |
1981 bool is_issued_by_known_root, | |
1982 const ExpectStapleReport& report, | |
1983 std::string* serialized_report) { | |
1984 return TransportSecurityState::SerializeExpectStapleReport( | |
1985 host_port_pair, unverified_certificate, is_issued_by_known_root, report, | |
1986 serialized_report); | |
1987 } | |
1988 | |
1989 TransportSecurityState security_state_; | |
1990 MockExpectStapleReportSender report_sender_; | |
1991 base::Time verify_time_; | |
1992 }; | |
1993 | |
1994 TEST_F(ExpectStapleTest, NoReportGoodResponse) { | |
1995 OCSPTest ocsp_test; | |
1996 ASSERT_TRUE(LoadOCSPFromFile("good_response.pem", &ocsp_test)); | |
1997 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
1998 security_state_.CheckExpectStaple(host_port, *ocsp_test.certificate, | |
1999 *ocsp_test.certificate, true, verify_time_, | |
2000 kOCSPResponseMaxAge, ocsp_test.response); | |
2001 EXPECT_FALSE(report_sender_.ReportSent()); | |
2002 }; | |
2003 | |
2004 TEST_F(ExpectStapleTest, ReportMissingResponse) { | |
2005 OCSPTest ocsp_test; | |
2006 ASSERT_TRUE(LoadOCSPFromFile("missing_response.pem", &ocsp_test)); | |
2007 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2008 security_state_.CheckExpectStaple(host_port, *ocsp_test.certificate, | |
2009 *ocsp_test.certificate, true, verify_time_, | |
2010 kOCSPResponseMaxAge, ocsp_test.response); | |
2011 EXPECT_TRUE(report_sender_.ReportSent()); | |
2012 }; | |
2013 | |
2014 TEST_F(ExpectStapleTest, ReportOldResponse) { | |
2015 OCSPTest ocsp_test; | |
2016 ASSERT_TRUE(LoadOCSPFromFile("good_response.pem", &ocsp_test)); | |
2017 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2018 security_state_.CheckExpectStaple( | |
2019 host_port, *ocsp_test.certificate, *ocsp_test.certificate, true, | |
2020 verify_time_, base::TimeDelta::FromDays(7), ocsp_test.response); | |
2021 EXPECT_TRUE(report_sender_.ReportSent()); | |
2022 }; | |
2023 | |
2024 TEST_F(ExpectStapleTest, RevokedResponse) { | |
2025 OCSPTest ocsp_test; | |
2026 ASSERT_TRUE(LoadOCSPFromFile("revoke_response.pem", &ocsp_test)); | |
2027 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2028 security_state_.CheckExpectStaple(host_port, *ocsp_test.certificate, | |
2029 *ocsp_test.certificate, true, verify_time_, | |
2030 kOCSPResponseMaxAge, ocsp_test.response); | |
2031 EXPECT_TRUE(report_sender_.ReportSent()); | |
2032 }; | |
2033 | |
2034 TEST_F(ExpectStapleTest, HasExtensions) { | |
2035 OCSPTest ocsp_test; | |
2036 ASSERT_TRUE(LoadOCSPFromFile("has_extension.pem", &ocsp_test)); | |
2037 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2038 security_state_.CheckExpectStaple(host_port, *ocsp_test.certificate, | |
2039 *ocsp_test.certificate, true, verify_time_, | |
2040 kOCSPResponseMaxAge, ocsp_test.response); | |
2041 EXPECT_FALSE(report_sender_.ReportSent()); | |
2042 }; | |
2043 | |
2044 TEST_F(ExpectStapleTest, MultipleResponse) { | |
2045 OCSPTest ocsp_test; | |
2046 ASSERT_TRUE(LoadOCSPFromFile("multiple_response.pem", &ocsp_test)); | |
2047 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2048 security_state_.CheckExpectStaple(host_port, *ocsp_test.certificate, | |
2049 *ocsp_test.certificate, true, verify_time_, | |
2050 kOCSPResponseMaxAge, ocsp_test.response); | |
2051 EXPECT_FALSE(report_sender_.ReportSent()); | |
2052 }; | |
2053 | |
2054 TEST_F(ExpectStapleTest, SerializeEmptyReport) { | |
2055 OCSPTest ocsp_test; | |
2056 ASSERT_TRUE(LoadOCSPFromFile("missing_response.pem", &ocsp_test)); | |
2057 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2058 std::unique_ptr<ExpectStapleReport> report = | |
2059 ExpectStapleReport::FromRawOCSPResponse(ocsp_test.response, verify_time_, | |
2060 kOCSPResponseMaxAge, | |
2061 *ocsp_test.certificate); | |
2062 ASSERT_TRUE(report); | |
2063 std::string serialized_report; | |
2064 ASSERT_TRUE(SerializeExpectStapleReport(host_port, *ocsp_test.certificate, | |
2065 true, *report, &serialized_report)); | |
2066 ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport( | |
2067 serialized_report, host_port, *ocsp_test.certificate, true, *report)); | |
2068 }; | |
2069 | |
2070 TEST_F(ExpectStapleTest, SerializeMultipleResponses) { | |
2071 OCSPTest ocsp_test; | |
2072 ASSERT_TRUE(LoadOCSPFromFile("multiple_response.pem", &ocsp_test)); | |
2073 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2074 std::unique_ptr<ExpectStapleReport> report = | |
2075 ExpectStapleReport::FromRawOCSPResponse(ocsp_test.response, verify_time_, | |
2076 kOCSPResponseMaxAge, | |
2077 *ocsp_test.certificate); | |
2078 ASSERT_TRUE(report); | |
2079 std::string serialized_report; | |
2080 ASSERT_TRUE(SerializeExpectStapleReport(host_port, *ocsp_test.certificate, | |
2081 true, *report, &serialized_report)); | |
2082 ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport( | |
2083 serialized_report, host_port, *ocsp_test.certificate, true, *report)); | |
2084 }; | |
2085 | |
2086 TEST_F(ExpectStapleTest, SerializeMultipleResponsesPrivateRoot) { | |
2087 OCSPTest ocsp_test; | |
2088 ASSERT_TRUE(LoadOCSPFromFile("multiple_response.pem", &ocsp_test)); | |
2089 HostPortPair host_port(kExpectStapleStaticHostname, 443); | |
2090 std::unique_ptr<ExpectStapleReport> report = | |
2091 ExpectStapleReport::FromRawOCSPResponse(ocsp_test.response, verify_time_, | |
2092 kOCSPResponseMaxAge, | |
2093 *ocsp_test.certificate); | |
2094 ASSERT_TRUE(report); | |
2095 std::string serialized_report; | |
2096 ASSERT_TRUE(SerializeExpectStapleReport(host_port, *ocsp_test.certificate, | |
2097 false, *report, &serialized_report)); | |
2098 ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport( | |
2099 serialized_report, host_port, *ocsp_test.certificate, false, *report)); | |
2100 }; | |
2101 | |
1872 } // namespace net | 2102 } // namespace net |
OLD | NEW |