Chromium Code Reviews Chromium Code Reviews
Issue 2040513003:
Implement Expect-Staple (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 9229 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9240 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); | 9240 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); |
| 9241 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 9241 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 9242 test_root_.reset(new ScopedTestRoot(root_cert.get())); | 9242 test_root_.reset(new ScopedTestRoot(root_cert.get())); |
| 9243 | 9243 |
| 9244 #if defined(USE_NSS_CERTS) | 9244 #if defined(USE_NSS_CERTS) |
| 9245 SetURLRequestContextForNSSHttpIO(&context_); | 9245 SetURLRequestContextForNSSHttpIO(&context_); |
| 9246 EnsureNSSHttpIOInit(); | 9246 EnsureNSSHttpIOInit(); |
| 9247 #endif | 9247 #endif |
| 9248 } | 9248 } |
| 9249 | 9249 |
| 9250 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, | 9250 ::testing::AssertionResult DoConnection( |
|
svaldez
2016/06/23 14:03:16
Is this change necessary?
| |
| 9251 CertStatus* out_cert_status) { | 9251 const SpawnedTestServer::SSLOptions& ssl_options, |
| 9252 // We always overwrite out_cert_status. | 9252 SSLInfo* out_ssl_info) { |
| 9253 *out_cert_status = 0; | 9253 // Always overwrite |out_ssl_info|. |
| 9254 out_ssl_info->Reset(); | |
| 9255 | |
| 9254 SpawnedTestServer test_server( | 9256 SpawnedTestServer test_server( |
| 9255 SpawnedTestServer::TYPE_HTTPS, | 9257 SpawnedTestServer::TYPE_HTTPS, |
| 9256 ssl_options, | 9258 ssl_options, |
| 9257 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 9259 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 9258 ASSERT_TRUE(test_server.Start()); | 9260 EXPECT_TRUE(test_server.Start()); |
| 9259 | 9261 |
| 9260 TestDelegate d; | 9262 TestDelegate d; |
| 9261 d.set_allow_certificate_errors(true); | 9263 d.set_allow_certificate_errors(true); |
| 9262 std::unique_ptr<URLRequest> r( | 9264 std::unique_ptr<URLRequest> r( |
| 9263 context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, &d)); | 9265 context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, &d)); |
| 9264 r->Start(); | 9266 r->Start(); |
| 9265 | 9267 |
| 9266 base::RunLoop().Run(); | 9268 base::RunLoop().Run(); |
| 9269 EXPECT_EQ(1, d.response_started_count()); | |
| 9267 | 9270 |
| 9268 EXPECT_EQ(1, d.response_started_count()); | 9271 *out_ssl_info = r->ssl_info(); |
| 9269 *out_cert_status = r->ssl_info().cert_status; | 9272 return ::testing::AssertionSuccess(); |
| 9273 } | |
| 9274 | |
| 9275 ::testing::AssertionResult DoConnection( | |
|
svaldez
2016/06/23 14:03:16
Same.
| |
| 9276 const SpawnedTestServer::SSLOptions& ssl_options, | |
| 9277 CertStatus* out_cert_status) { | |
| 9278 // Always overwrite |out_cert_status|. | |
| 9279 *out_cert_status = 0; | |
| 9280 | |
| 9281 SSLInfo ssl_info; | |
| 9282 EXPECT_TRUE(DoConnection(ssl_options, &ssl_info)); | |
| 9283 | |
| 9284 *out_cert_status = ssl_info.cert_status; | |
| 9285 return ::testing::AssertionSuccess(); | |
| 9270 } | 9286 } |
| 9271 | 9287 |
| 9272 ~HTTPSOCSPTest() override { | 9288 ~HTTPSOCSPTest() override { |
| 9273 #if defined(USE_NSS_CERTS) | 9289 #if defined(USE_NSS_CERTS) |
| 9274 ShutdownNSSHttpIO(); | 9290 ShutdownNSSHttpIO(); |
| 9275 #endif | 9291 #endif |
| 9276 } | 9292 } |
| 9277 | 9293 |
| 9278 protected: | 9294 protected: |
| 9279 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { | 9295 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 9478 ssl_options.ocsp_server_unavailable = true; | 9494 ssl_options.ocsp_server_unavailable = true; |
| 9479 | 9495 |
| 9480 CertStatus cert_status; | 9496 CertStatus cert_status; |
| 9481 DoConnection(ssl_options, &cert_status); | 9497 DoConnection(ssl_options, &cert_status); |
| 9482 | 9498 |
| 9483 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9499 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9484 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9500 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9485 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9501 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9486 } | 9502 } |
| 9487 | 9503 |
| 9504 static const struct OCSPVerifyTestData { | |
| 9505 SpawnedTestServer::SSLOptions::OCSPStatus ocsp_status; | |
| 9506 SpawnedTestServer::SSLOptions::OCSPDate ocsp_date; | |
| 9507 OCSPVerifyResult::ResponseStatus response_status; | |
| 9508 bool is_date_valid; | |
| 9509 bool has_cert_status; | |
| 9510 OCSPCertStatus::Status cert_status; | |
| 9511 } kOCSPVerifyData[] = { | |
| 9512 { | |
| 9513 SpawnedTestServer::SSLOptions::OCSP_OK, | |
| 9514 SpawnedTestServer::SSLOptions::OCSP_VALID, OCSPVerifyResult::PROVIDED, | |
| 9515 true, true, OCSPCertStatus::Status::GOOD, | |
| 9516 }, | |
| 9517 { | |
| 9518 SpawnedTestServer::SSLOptions::OCSP_OK, | |
| 9519 SpawnedTestServer::SSLOptions::OCSP_OLD, | |
| 9520 OCSPVerifyResult::NO_MATCHING_RESPONSE, false, false, | |
| 9521 OCSPCertStatus::Status::GOOD, | |
| 9522 }, | |
| 9523 { | |
| 9524 SpawnedTestServer::SSLOptions::OCSP_OK, | |
| 9525 SpawnedTestServer::SSLOptions::OCSP_YOUNG, | |
| 9526 OCSPVerifyResult::NO_MATCHING_RESPONSE, false, false, | |
| 9527 OCSPCertStatus::Status::GOOD, | |
| 9528 }, | |
| 9529 { | |
| 9530 SpawnedTestServer::SSLOptions::OCSP_OK, | |
| 9531 SpawnedTestServer::SSLOptions::OCSP_LONG, | |
| 9532 OCSPVerifyResult::NO_MATCHING_RESPONSE, false, false, | |
| 9533 OCSPCertStatus::Status::GOOD, | |
| 9534 }, | |
| 9535 }; | |
| 9536 | |
| 9537 class HTTPSOCSPVerifyTest | |
| 9538 : public HTTPSOCSPTest, | |
| 9539 public testing::WithParamInterface<OCSPVerifyTestData> { | |
| 9540 public: | |
| 9541 HTTPSOCSPVerifyTest() = default; | |
| 9542 virtual ~HTTPSOCSPVerifyTest() {} | |
| 9543 }; | |
| 9544 | |
| 9545 TEST_P(HTTPSOCSPVerifyTest, SingleResponse) { | |
| 9546 SpawnedTestServer::SSLOptions ssl_options( | |
| 9547 SpawnedTestServer::SSLOptions::CERT_AUTO); | |
| 9548 OCSPVerifyTestData test = GetParam(); | |
| 9549 ssl_options.ocsp_status = test.ocsp_status; | |
| 9550 ssl_options.ocsp_date = test.ocsp_date; | |
| 9551 ssl_options.staple_ocsp_response = true; | |
| 9552 | |
| 9553 SSLInfo ssl_info; | |
| 9554 ASSERT_TRUE(DoConnection(ssl_options, &ssl_info)); | |
| 9555 | |
| 9556 EXPECT_EQ(0u, ssl_info.cert_status & CERT_STATUS_ALL_ERRORS); | |
| 9557 EXPECT_EQ(test.response_status, ssl_info.ocsp.response_status); | |
| 9558 | |
| 9559 ASSERT_EQ(1u, ssl_info.ocsp.stapled_responses.size()); | |
| 9560 EXPECT_TRUE(ssl_info.ocsp.stapled_responses[0].did_parse); | |
| 9561 EXPECT_EQ(test.is_date_valid, | |
| 9562 ssl_info.ocsp.stapled_responses[0].is_date_valid); | |
| 9563 EXPECT_TRUE(ssl_info.ocsp.stapled_responses[0].is_correct_certificate); | |
| 9564 EXPECT_EQ(OCSPCertStatus::Status::GOOD, | |
| 9565 ssl_info.ocsp.stapled_responses[0].status); | |
| 9566 | |
| 9567 if (test.has_cert_status) { | |
| 9568 ASSERT_TRUE(ssl_info.ocsp.cert_status); | |
| 9569 EXPECT_EQ(test.cert_status, *ssl_info.ocsp.cert_status); | |
| 9570 } else { | |
| 9571 EXPECT_FALSE(ssl_info.ocsp.cert_status); | |
| 9572 } | |
| 9573 }; | |
| 9574 | |
| 9575 INSTANTIATE_TEST_CASE_P(OCSPVerify, | |
| 9576 HTTPSOCSPVerifyTest, | |
| 9577 testing::ValuesIn(kOCSPVerifyData)); | |
| 9578 | |
| 9488 class HTTPSHardFailTest : public HTTPSOCSPTest { | 9579 class HTTPSHardFailTest : public HTTPSOCSPTest { |
| 9489 protected: | 9580 protected: |
| 9490 void SetupContext() override { | 9581 void SetupContext() override { |
| 9491 context_.set_ssl_config_service(new TestSSLConfigService( | 9582 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9492 false /* check for EV */, false /* online revocation checking */, | 9583 false /* check for EV */, false /* online revocation checking */, |
| 9493 true /* require rev. checking for local | 9584 true /* require rev. checking for local |
| 9494 anchors */, | 9585 anchors */, |
| 9495 false /* token binding enabled */)); | 9586 false /* token binding enabled */)); |
| 9496 } | 9587 } |
| 9497 }; | 9588 }; |
| (...skipping 650 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 10148 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10239 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 10149 | 10240 |
| 10150 req->Start(); | 10241 req->Start(); |
| 10151 req->Cancel(); | 10242 req->Cancel(); |
| 10152 base::RunLoop().RunUntilIdle(); | 10243 base::RunLoop().RunUntilIdle(); |
| 10153 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 10244 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 10154 EXPECT_EQ(0, d.received_redirect_count()); | 10245 EXPECT_EQ(0, d.received_redirect_count()); |
| 10155 } | 10246 } |
| 10156 | 10247 |
| 10157 } // namespace net | 10248 } // namespace net |
| OLD | NEW |
