Chromium Code Reviews Chromium Code Reviews
Issue 2067843003:
Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
| 8 #include "net/base/net_errors.h" | 8 #include "net/base/net_errors.h" |
| 9 #include "net/base/test_data_directory.h" | 9 #include "net/base/test_data_directory.h" |
| 10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 96 const char kTestHostname[] = "test.example.com"; | 96 const char kTestHostname[] = "test.example.com"; |
| 97 const uint16_t kTestPort = 8443; | 97 const uint16_t kTestPort = 8443; |
| 98 const char kTestConfig[] = "server config bytes"; | 98 const char kTestConfig[] = "server config bytes"; |
| 99 const char kLogDescription[] = "somelog"; | 99 const char kLogDescription[] = "somelog"; |
| 100 | 100 |
| 101 } // namespace | 101 } // namespace |
| 102 | 102 |
| 103 class ProofVerifierChromiumTest : public ::testing::Test { | 103 class ProofVerifierChromiumTest : public ::testing::Test { |
| 104 public: | 104 public: |
| 105 ProofVerifierChromiumTest() | 105 ProofVerifierChromiumTest() |
| 106 : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, | 106 : ct_policy_enforcer_(false /*is_ev*/), |
| 107 verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, | |
| 107 BoundNetLog())) {} | 108 BoundNetLog())) {} |
| 108 | 109 |
| 109 void SetUp() override { | 110 void SetUp() override { |
| 110 scoped_refptr<const CTLogVerifier> log(CTLogVerifier::Create( | 111 scoped_refptr<const CTLogVerifier> log(CTLogVerifier::Create( |
| 111 ct::GetTestPublicKey(), kLogDescription, "https://test.example.com")); | 112 ct::GetTestPublicKey(), kLogDescription, "https://test.example.com")); |
| 112 ASSERT_TRUE(log); | 113 ASSERT_TRUE(log); |
| 113 log_verifiers_.push_back(log); | 114 log_verifiers_.push_back(log); |
| 114 | 115 |
| 115 ct_verifier_.reset(new MultiLogCTVerifier()); | 116 ct_verifier_.reset(new MultiLogCTVerifier()); |
| 116 ct_verifier_->AddLogs(log_verifiers_); | 117 ct_verifier_->AddLogs(log_verifiers_); |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 191 kLogDescription)); | 192 kLogDescription)); |
| 192 ASSERT_TRUE(ct::CheckForSCTOrigin( | 193 ASSERT_TRUE(ct::CheckForSCTOrigin( |
| 193 ct_verify_result, | 194 ct_verify_result, |
| 194 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); | 195 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); |
| 195 } else { | 196 } else { |
| 196 EXPECT_EQ(1U, ct_verify_result.unknown_logs_scts.size()); | 197 EXPECT_EQ(1U, ct_verify_result.unknown_logs_scts.size()); |
| 197 } | 198 } |
| 198 } | 199 } |
| 199 | 200 |
| 200 protected: | 201 protected: |
| 202 TransportSecurityState transport_security_state_; | |
| 203 MockCTPolicyEnforcer ct_policy_enforcer_; | |
| 204 | |
| 201 std::unique_ptr<MultiLogCTVerifier> ct_verifier_; | 205 std::unique_ptr<MultiLogCTVerifier> ct_verifier_; |
| 202 std::vector<scoped_refptr<const CTLogVerifier>> log_verifiers_; | 206 std::vector<scoped_refptr<const CTLogVerifier>> log_verifiers_; |
| 203 std::unique_ptr<ProofVerifyContext> verify_context_; | 207 std::unique_ptr<ProofVerifyContext> verify_context_; |
| 204 std::unique_ptr<ProofVerifyDetails> details_; | 208 std::unique_ptr<ProofVerifyDetails> details_; |
| 205 std::string error_details_; | 209 std::string error_details_; |
| 206 std::vector<std::string> certs_; | 210 std::vector<std::string> certs_; |
| 207 }; | 211 }; |
| 208 | 212 |
| 209 // Tests that the ProofVerifier fails verification if certificate | 213 // Tests that the ProofVerifier fails verification if certificate |
| 210 // verification fails. | 214 // verification fails. |
| 211 TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) { | 215 TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) { |
| 212 MockCertVerifier dummy_verifier; | 216 MockCertVerifier dummy_verifier; |
| 213 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, | 217 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, |
| 218 &transport_security_state_, | |
| 214 ct_verifier_.get()); | 219 ct_verifier_.get()); |
| 215 | 220 |
| 216 std::unique_ptr<DummyProofVerifierCallback> callback( | 221 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 217 new DummyProofVerifierCallback); | 222 new DummyProofVerifierCallback); |
| 218 QuicAsyncStatus status = proof_verifier.VerifyProof( | 223 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 219 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 224 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 220 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 225 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 221 callback.get()); | 226 callback.get()); |
| 222 ASSERT_EQ(QUIC_FAILURE, status); | 227 ASSERT_EQ(QUIC_FAILURE, status); |
| 223 } | 228 } |
| 224 | 229 |
| 225 // Valid SCT, but invalid signature. | 230 // Valid SCT, but invalid signature. |
| 226 TEST_F(ProofVerifierChromiumTest, ValidSCTList) { | 231 TEST_F(ProofVerifierChromiumTest, ValidSCTList) { |
| 227 // Use different certificates for SCT tests. | 232 // Use different certificates for SCT tests. |
| 228 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); | 233 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); |
| 229 | 234 |
| 230 MockCertVerifier cert_verifier; | 235 MockCertVerifier cert_verifier; |
| 231 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 236 ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, |
| 237 &transport_security_state_, | |
| 232 ct_verifier_.get()); | 238 ct_verifier_.get()); |
| 233 | 239 |
| 234 std::unique_ptr<DummyProofVerifierCallback> callback( | 240 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 235 new DummyProofVerifierCallback); | 241 new DummyProofVerifierCallback); |
| 236 QuicAsyncStatus status = proof_verifier.VerifyProof( | 242 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 237 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, | 243 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, |
| 238 ct::GetSCTListForTesting(), "", verify_context_.get(), &error_details_, | 244 ct::GetSCTListForTesting(), "", verify_context_.get(), &error_details_, |
| 239 &details_, callback.get()); | 245 &details_, callback.get()); |
| 240 ASSERT_EQ(QUIC_FAILURE, status); | 246 ASSERT_EQ(QUIC_FAILURE, status); |
| 241 CheckSCT(/*sct_expected_ok=*/true); | 247 CheckSCT(/*sct_expected_ok=*/true); |
| 242 } | 248 } |
| 243 | 249 |
| 244 // Invalid SCT and signature. | 250 // Invalid SCT and signature. |
| 245 TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { | 251 TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { |
| 246 // Use different certificates for SCT tests. | 252 // Use different certificates for SCT tests. |
| 247 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); | 253 ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); |
| 248 | 254 |
| 249 MockCertVerifier cert_verifier; | 255 MockCertVerifier cert_verifier; |
| 250 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 256 ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, |
| 257 &transport_security_state_, | |
| 251 ct_verifier_.get()); | 258 ct_verifier_.get()); |
| 252 | 259 |
| 253 std::unique_ptr<DummyProofVerifierCallback> callback( | 260 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 254 new DummyProofVerifierCallback); | 261 new DummyProofVerifierCallback); |
| 255 QuicAsyncStatus status = proof_verifier.VerifyProof( | 262 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 256 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, | 263 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, |
| 257 ct::GetSCTListWithInvalidSCT(), "", verify_context_.get(), | 264 ct::GetSCTListWithInvalidSCT(), "", verify_context_.get(), |
| 258 &error_details_, &details_, callback.get()); | 265 &error_details_, &details_, callback.get()); |
| 259 ASSERT_EQ(QUIC_FAILURE, status); | 266 ASSERT_EQ(QUIC_FAILURE, status); |
| 260 CheckSCT(/*sct_expected_ok=*/false); | 267 CheckSCT(/*sct_expected_ok=*/false); |
| 261 } | 268 } |
| 262 | 269 |
| 263 // Tests that the ProofVerifier doesn't verify certificates if the config | 270 // Tests that the ProofVerifier doesn't verify certificates if the config |
| 264 // signature fails. | 271 // signature fails. |
| 265 TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { | 272 TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { |
| 266 FailsTestCertVerifier cert_verifier; | 273 FailsTestCertVerifier cert_verifier; |
| 267 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, | 274 ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, |
| 275 &transport_security_state_, | |
| 268 ct_verifier_.get()); | 276 ct_verifier_.get()); |
| 269 | 277 |
| 270 std::unique_ptr<DummyProofVerifierCallback> callback( | 278 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 271 new DummyProofVerifierCallback); | 279 new DummyProofVerifierCallback); |
| 272 QuicAsyncStatus status = proof_verifier.VerifyProof( | 280 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 273 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 281 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 274 kTestConfig, verify_context_.get(), &error_details_, &details_, | 282 kTestConfig, verify_context_.get(), &error_details_, &details_, |
| 275 callback.get()); | 283 callback.get()); |
| 276 ASSERT_EQ(QUIC_FAILURE, status); | 284 ASSERT_EQ(QUIC_FAILURE, status); |
| 277 } | 285 } |
| 278 | 286 |
| 279 // Tests that EV certificates are left as EV if there is no certificate | |
| 280 // policy enforcement. | |
| 281 TEST_F(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) { | |
|
Ryan Hamilton
2016/06/16 03:31:04
Yay! :>
| |
| 282 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 283 ASSERT_TRUE(test_cert); | |
| 284 | |
| 285 CertVerifyResult dummy_result; | |
| 286 dummy_result.verified_cert = test_cert; | |
| 287 dummy_result.cert_status = CERT_STATUS_IS_EV; | |
| 288 | |
| 289 MockCertVerifier dummy_verifier; | |
| 290 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 291 | |
| 292 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, | |
| 293 ct_verifier_.get()); | |
| 294 | |
| 295 std::unique_ptr<DummyProofVerifierCallback> callback( | |
| 296 new DummyProofVerifierCallback); | |
| 297 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 298 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | |
| 299 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | |
| 300 callback.get()); | |
| 301 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 302 | |
| 303 ASSERT_TRUE(details_.get()); | |
| 304 ProofVerifyDetailsChromium* verify_details = | |
| 305 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
| 306 EXPECT_EQ(dummy_result.cert_status, | |
| 307 verify_details->cert_verify_result.cert_status); | |
| 308 } | |
| 309 | |
| 310 // Tests that the certificate policy enforcer is consulted for EV | 287 // Tests that the certificate policy enforcer is consulted for EV |
| 311 // and the certificate is allowed to be EV. | 288 // and the certificate is allowed to be EV. |
| 312 TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) { | 289 TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) { |
| 313 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 290 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 314 ASSERT_TRUE(test_cert); | 291 ASSERT_TRUE(test_cert); |
| 315 | 292 |
| 316 CertVerifyResult dummy_result; | 293 CertVerifyResult dummy_result; |
| 317 dummy_result.verified_cert = test_cert; | 294 dummy_result.verified_cert = test_cert; |
| 318 dummy_result.cert_status = CERT_STATUS_IS_EV; | 295 dummy_result.cert_status = CERT_STATUS_IS_EV; |
| 319 | 296 |
| 320 MockCertVerifier dummy_verifier; | 297 MockCertVerifier dummy_verifier; |
| 321 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 298 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 322 | 299 |
| 323 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); | 300 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); |
| 324 | 301 |
| 325 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 302 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 326 nullptr, ct_verifier_.get()); | 303 &transport_security_state_, |
| 304 ct_verifier_.get()); | |
| 327 | 305 |
| 328 std::unique_ptr<DummyProofVerifierCallback> callback( | 306 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 329 new DummyProofVerifierCallback); | 307 new DummyProofVerifierCallback); |
| 330 QuicAsyncStatus status = proof_verifier.VerifyProof( | 308 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 331 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 309 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 332 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 310 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 333 callback.get()); | 311 callback.get()); |
| 334 ASSERT_EQ(QUIC_SUCCESS, status); | 312 ASSERT_EQ(QUIC_SUCCESS, status); |
| 335 | 313 |
| 336 ASSERT_TRUE(details_.get()); | 314 ASSERT_TRUE(details_.get()); |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 349 CertVerifyResult dummy_result; | 327 CertVerifyResult dummy_result; |
| 350 dummy_result.verified_cert = test_cert; | 328 dummy_result.verified_cert = test_cert; |
| 351 dummy_result.cert_status = CERT_STATUS_IS_EV; | 329 dummy_result.cert_status = CERT_STATUS_IS_EV; |
| 352 | 330 |
| 353 MockCertVerifier dummy_verifier; | 331 MockCertVerifier dummy_verifier; |
| 354 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 332 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 355 | 333 |
| 356 MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/); | 334 MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/); |
| 357 | 335 |
| 358 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 336 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 359 nullptr, ct_verifier_.get()); | 337 &transport_security_state_, |
| 338 ct_verifier_.get()); | |
| 360 | 339 |
| 361 std::unique_ptr<DummyProofVerifierCallback> callback( | 340 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 362 new DummyProofVerifierCallback); | 341 new DummyProofVerifierCallback); |
| 363 QuicAsyncStatus status = proof_verifier.VerifyProof( | 342 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 364 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 343 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 365 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 344 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 366 callback.get()); | 345 callback.get()); |
| 367 ASSERT_EQ(QUIC_SUCCESS, status); | 346 ASSERT_EQ(QUIC_SUCCESS, status); |
| 368 | 347 |
| 369 ASSERT_TRUE(details_.get()); | 348 ASSERT_TRUE(details_.get()); |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 383 CertVerifyResult dummy_result; | 362 CertVerifyResult dummy_result; |
| 384 dummy_result.verified_cert = test_cert; | 363 dummy_result.verified_cert = test_cert; |
| 385 dummy_result.cert_status = 0; | 364 dummy_result.cert_status = 0; |
| 386 | 365 |
| 387 MockCertVerifier dummy_verifier; | 366 MockCertVerifier dummy_verifier; |
| 388 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 367 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 389 | 368 |
| 390 FailsTestCTPolicyEnforcer policy_enforcer; | 369 FailsTestCTPolicyEnforcer policy_enforcer; |
| 391 | 370 |
| 392 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | 371 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 393 nullptr, ct_verifier_.get()); | 372 &transport_security_state_, |
| 373 ct_verifier_.get()); | |
| 394 | 374 |
| 395 std::unique_ptr<DummyProofVerifierCallback> callback( | 375 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 396 new DummyProofVerifierCallback); | 376 new DummyProofVerifierCallback); |
| 397 QuicAsyncStatus status = proof_verifier.VerifyProof( | 377 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 398 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 378 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 399 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 379 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 400 callback.get()); | 380 callback.get()); |
| 401 ASSERT_EQ(QUIC_SUCCESS, status); | 381 ASSERT_EQ(QUIC_SUCCESS, status); |
| 402 | 382 |
| 403 ASSERT_TRUE(details_.get()); | 383 ASSERT_TRUE(details_.get()); |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 427 | 407 |
| 428 MockCertVerifier dummy_verifier; | 408 MockCertVerifier dummy_verifier; |
| 429 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 409 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 430 | 410 |
| 431 HashValueVector pin_hashes = MakeHashValueVector(0x02); | 411 HashValueVector pin_hashes = MakeHashValueVector(0x02); |
| 432 TransportSecurityState transport_security_state; | 412 TransportSecurityState transport_security_state; |
| 433 transport_security_state.AddHPKP( | 413 transport_security_state.AddHPKP( |
| 434 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | 414 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| 435 true, pin_hashes, GURL()); | 415 true, pin_hashes, GURL()); |
| 436 | 416 |
| 437 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | 417 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); |
| 438 &transport_security_state, nullptr); | 418 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 419 &transport_security_state, | |
| 420 ct_verifier_.get()); | |
| 439 | 421 |
| 440 std::unique_ptr<DummyProofVerifierCallback> callback( | 422 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 441 new DummyProofVerifierCallback); | 423 new DummyProofVerifierCallback); |
| 442 QuicAsyncStatus status = proof_verifier.VerifyProof( | 424 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 443 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 425 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 444 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 426 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 445 callback.get()); | 427 callback.get()); |
| 446 ASSERT_EQ(QUIC_FAILURE, status); | 428 ASSERT_EQ(QUIC_FAILURE, status); |
| 447 | 429 |
| 448 ASSERT_TRUE(details_.get()); | 430 ASSERT_TRUE(details_.get()); |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 467 | 449 |
| 468 MockCertVerifier dummy_verifier; | 450 MockCertVerifier dummy_verifier; |
| 469 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 451 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 470 | 452 |
| 471 HashValueVector expected_hashes = MakeHashValueVector(0x02); | 453 HashValueVector expected_hashes = MakeHashValueVector(0x02); |
| 472 TransportSecurityState transport_security_state_fail; | 454 TransportSecurityState transport_security_state_fail; |
| 473 transport_security_state_fail.AddHPKP( | 455 transport_security_state_fail.AddHPKP( |
| 474 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), | 456 kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), |
| 475 true, expected_hashes, GURL()); | 457 true, expected_hashes, GURL()); |
| 476 | 458 |
| 477 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, | 459 MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); |
| 478 &transport_security_state_fail, nullptr); | 460 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, |
| 461 &transport_security_state_fail, | |
| 462 ct_verifier_.get()); | |
| 479 | 463 |
| 480 std::unique_ptr<DummyProofVerifierCallback> callback( | 464 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 481 new DummyProofVerifierCallback); | 465 new DummyProofVerifierCallback); |
| 482 QuicAsyncStatus status = proof_verifier.VerifyProof( | 466 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 483 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", | 467 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", |
| 484 GetTestSignature(), verify_context_.get(), &error_details_, &details_, | 468 GetTestSignature(), verify_context_.get(), &error_details_, &details_, |
| 485 callback.get()); | 469 callback.get()); |
| 486 ASSERT_EQ(QUIC_SUCCESS, status); | 470 ASSERT_EQ(QUIC_SUCCESS, status); |
| 487 | 471 |
| 488 ASSERT_TRUE(details_.get()); | 472 ASSERT_TRUE(details_.get()); |
| 489 ProofVerifyDetailsChromium* verify_details = | 473 ProofVerifyDetailsChromium* verify_details = |
| 490 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 474 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 491 EXPECT_TRUE(verify_details->pkp_bypassed); | 475 EXPECT_TRUE(verify_details->pkp_bypassed); |
| 492 } | 476 } |
| 493 | 477 |
| 494 } // namespace test | 478 } // namespace test |
| 495 } // namespace net | 479 } // namespace net |
| OLD | NEW |
