| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/base64.h" | 11 #include "base/base64.h" |
| 12 #include "base/files/file_path.h" | 12 #include "base/files/file_path.h" |
| 13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
| 14 #include "base/rand_util.h" | 14 #include "base/rand_util.h" |
| 15 #include "base/sha1.h" | 15 #include "base/sha1.h" |
| 16 #include "base/strings/string_piece.h" | 16 #include "base/strings/string_piece.h" |
| 17 #include "base/test/histogram_tester.h" | 17 #include "base/test/histogram_tester.h" |
| 18 #include "base/values.h" | 18 #include "base/values.h" |
| 19 #include "crypto/openssl_util.h" | 19 #include "crypto/openssl_util.h" |
| 20 #include "crypto/sha2.h" | 20 #include "crypto/sha2.h" |
| 21 #include "net/base/host_port_pair.h" | 21 #include "net/base/host_port_pair.h" |
| 22 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
| 23 #include "net/base/test_completion_callback.h" | 23 #include "net/base/test_completion_callback.h" |
| 24 #include "net/cert/asn1_util.h" | 24 #include "net/cert/asn1_util.h" |
| 25 #include "net/cert/cert_verifier.h" | 25 #include "net/cert/cert_verifier.h" |
| 26 #include "net/cert/cert_verify_result.h" | 26 #include "net/cert/cert_verify_result.h" |
| 27 #include "net/cert/ct_policy_status.h" | 27 #include "net/cert/ct_policy_status.h" |
| 28 #include "net/cert/internal/test_helpers.h" |
| 28 #include "net/cert/test_root_certs.h" | 29 #include "net/cert/test_root_certs.h" |
| 29 #include "net/cert/x509_cert_types.h" | 30 #include "net/cert/x509_cert_types.h" |
| 30 #include "net/cert/x509_certificate.h" | 31 #include "net/cert/x509_certificate.h" |
| 31 #include "net/http/http_util.h" | 32 #include "net/http/http_util.h" |
| 32 #include "net/log/net_log.h" | 33 #include "net/log/net_log.h" |
| 33 #include "net/ssl/ssl_info.h" | 34 #include "net/ssl/ssl_info.h" |
| 34 #include "net/test/cert_test_util.h" | 35 #include "net/test/cert_test_util.h" |
| 35 #include "net/test/test_data_directory.h" | 36 #include "net/test/test_data_directory.h" |
| 36 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
| 37 | 38 |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 71 const char* const kBadPath[] = { | 72 const char* const kBadPath[] = { |
| 72 "sha1/111111111111111111111111111=", | 73 "sha1/111111111111111111111111111=", |
| 73 "sha1/222222222222222222222222222=", | 74 "sha1/222222222222222222222222222=", |
| 74 "sha1/333333333333333333333333333=", | 75 "sha1/333333333333333333333333333=", |
| 75 "sha256/1111111111111111111111111111111111111111111=", | 76 "sha256/1111111111111111111111111111111111111111111=", |
| 76 "sha256/2222222222222222222222222222222222222222222=", | 77 "sha256/2222222222222222222222222222222222222222222=", |
| 77 "sha256/3333333333333333333333333333333333333333333=", | 78 "sha256/3333333333333333333333333333333333333333333=", |
| 78 nullptr, | 79 nullptr, |
| 79 }; | 80 }; |
| 80 | 81 |
| 81 // A mock ReportSenderInterface that just remembers the latest report | 82 const char kOCSPPathPrefix[] = "net/data/parse_ocsp_unittest/"; |
| 83 |
| 84 // A mock ReportSender that just remembers the latest report |
| 82 // URI and report to be sent. | 85 // URI and report to be sent. |
| 83 class MockCertificateReportSender | 86 class MockCertificateReportSender |
| 84 : public TransportSecurityState::ReportSenderInterface { | 87 : public TransportSecurityState::ReportSenderInterface { |
| 85 public: | 88 public: |
| 86 MockCertificateReportSender() {} | 89 MockCertificateReportSender() {} |
| 87 ~MockCertificateReportSender() override {} | 90 ~MockCertificateReportSender() override {} |
| 88 | 91 |
| 89 void Send(const GURL& report_uri, const std::string& report) override { | 92 void Send(const GURL& report_uri, const std::string& report) override { |
| 90 latest_report_uri_ = report_uri; | 93 latest_report_uri_ = report_uri; |
| 91 latest_report_ = report; | 94 latest_report_ = report; |
| (...skipping 1784 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1876 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 1879 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
| 1877 EXPECT_EQ(1u, reporter.num_failures()); | 1880 EXPECT_EQ(1u, reporter.num_failures()); |
| 1878 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1881 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
| 1879 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1882 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
| 1880 reporter.ssl_info().ct_cert_policy_compliance); | 1883 reporter.ssl_info().ct_cert_policy_compliance); |
| 1881 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1884 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
| 1882 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1885 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 1883 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1886 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 1884 } | 1887 } |
| 1885 | 1888 |
| 1889 class MockExpectStapleReportSender : public MockCertificateReportSender { |
| 1890 public: |
| 1891 bool ReportSent() { return !latest_report().empty(); } |
| 1892 }; |
| 1893 |
| 1894 class ExpectStapleTest : public TransportSecurityStateTest { |
| 1895 public: |
| 1896 ExpectStapleTest() : verify_time_(base::Time::Now()) { |
| 1897 TransportSecurityStateTest::SetUp(); |
| 1898 security_state_.SetReportSender(&report_sender_); |
| 1899 EnableStaticExpectStaple(&security_state_); |
| 1900 } |
| 1901 |
| 1902 struct OCSPTest { |
| 1903 std::string response; |
| 1904 scoped_refptr<X509Certificate> certificate; |
| 1905 }; |
| 1906 |
| 1907 static bool LoadOCSPFromFile(std::string file_name, OCSPTest* ocsp) { |
| 1908 std::string ca_data; |
| 1909 std::string cert_data; |
| 1910 const PemBlockMapping mappings[] = { |
| 1911 {"OCSP RESPONSE", &ocsp->response}, |
| 1912 {"CA CERTIFICATE", &ca_data}, |
| 1913 {"CERTIFICATE", &cert_data}, |
| 1914 }; |
| 1915 std::string full_path = std::string(kOCSPPathPrefix) + file_name; |
| 1916 if (!ReadTestDataFromPemFile(full_path, mappings)) |
| 1917 return false; |
| 1918 |
| 1919 // Parse the server certificate |
| 1920 CertificateList server_cert_list = |
| 1921 X509Certificate::CreateCertificateListFromBytes( |
| 1922 cert_data.data(), cert_data.size(), |
| 1923 X509Certificate::FORMAT_SINGLE_CERTIFICATE); |
| 1924 ocsp->certificate = server_cert_list[0]; |
| 1925 return true; |
| 1926 } |
| 1927 |
| 1928 static void CheckExpectStapleReport( |
| 1929 const std::string& serialized_report, |
| 1930 const HostPortPair& host_port, |
| 1931 const X509Certificate& served_certificate_chain, |
| 1932 bool is_issued_by_known_root, |
| 1933 const OCSPVerifyResult& ocsp_verify_result) { |
| 1934 std::unique_ptr<base::Value> value( |
| 1935 base::JSONReader::Read(serialized_report)); |
| 1936 ASSERT_TRUE(value); |
| 1937 ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY)); |
| 1938 |
| 1939 base::DictionaryValue* report_dict; |
| 1940 ASSERT_TRUE(value->GetAsDictionary(&report_dict)); |
| 1941 std::string report_hostname; |
| 1942 EXPECT_TRUE(report_dict->GetString("hostname", &report_hostname)); |
| 1943 EXPECT_EQ(host_port.host(), report_hostname); |
| 1944 int report_port; |
| 1945 EXPECT_TRUE(report_dict->GetInteger("port", &report_port)); |
| 1946 EXPECT_EQ(host_port.port(), report_port); |
| 1947 |
| 1948 // Check certificate chain. |
| 1949 const base::ListValue* report_served_certificate_chain = nullptr; |
| 1950 if (is_issued_by_known_root) { |
| 1951 ASSERT_TRUE(report_dict->GetList("served-certificate-chain", |
| 1952 &report_served_certificate_chain)); |
| 1953 std::vector<std::string> pem_encoded_chain; |
| 1954 served_certificate_chain.GetPEMEncodedChain(&pem_encoded_chain); |
| 1955 ASSERT_EQ(pem_encoded_chain.size(), |
| 1956 report_served_certificate_chain->GetSize()); |
| 1957 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { |
| 1958 std::string cert_pem; |
| 1959 ASSERT_TRUE(report_served_certificate_chain->GetString(i, &cert_pem)); |
| 1960 EXPECT_EQ(pem_encoded_chain[i], cert_pem); |
| 1961 } |
| 1962 } else { |
| 1963 EXPECT_FALSE(report_dict->GetList("served-certificate-chain", |
| 1964 &report_served_certificate_chain)); |
| 1965 } |
| 1966 |
| 1967 // Check stapled responses. |
| 1968 const base::ListValue* report_ocsp_responses = nullptr; |
| 1969 ASSERT_TRUE(report_dict->GetList("ocsp-responses", &report_ocsp_responses)); |
| 1970 const auto& ocsp_responses = ocsp_verify_result.stapled_responses; |
| 1971 ASSERT_EQ(ocsp_responses.size(), report_ocsp_responses->GetSize()); |
| 1972 for (size_t i = 0; i < ocsp_responses.size(); i++) { |
| 1973 const base::DictionaryValue* report_ocsp_response = nullptr; |
| 1974 report_ocsp_responses->GetDictionary(i, &report_ocsp_response); |
| 1975 bool is_date_valid; |
| 1976 ASSERT_TRUE( |
| 1977 report_ocsp_response->GetBoolean("is-date-valid", &is_date_valid)); |
| 1978 EXPECT_EQ(ocsp_responses[i].is_date_valid, is_date_valid); |
| 1979 bool is_correct_certificate; |
| 1980 ASSERT_TRUE(report_ocsp_response->GetBoolean("is-correct-certificate", |
| 1981 &is_correct_certificate)); |
| 1982 EXPECT_EQ(ocsp_responses[i].is_correct_certificate, |
| 1983 is_correct_certificate); |
| 1984 } |
| 1985 } |
| 1986 |
| 1987 protected: |
| 1988 static bool SerializeExpectStapleReport( |
| 1989 const HostPortPair& host_port_pair, |
| 1990 const X509Certificate& unverified_certificate, |
| 1991 bool is_issued_by_known_root, |
| 1992 const OCSPVerifyResult& ocsp_verify_result, |
| 1993 std::string* serialized_report) { |
| 1994 return TransportSecurityState::SerializeExpectStapleReport( |
| 1995 host_port_pair, unverified_certificate, is_issued_by_known_root, |
| 1996 ocsp_verify_result, serialized_report); |
| 1997 } |
| 1998 |
| 1999 TransportSecurityState security_state_; |
| 2000 MockExpectStapleReportSender report_sender_; |
| 2001 base::Time verify_time_; |
| 2002 }; |
| 2003 |
| 2004 TEST_F(ExpectStapleTest, TestSerialization){ |
| 2005 // TODO(dadrian) |
| 2006 }; |
| 2007 |
| 1886 } // namespace net | 2008 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2040513003:
Implement Expect-Staple (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master