| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "build/build_config.h" | 9 #include "build/build_config.h" |
| 10 | 10 |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 51 #include "net/base/load_timing_info.h" | 51 #include "net/base/load_timing_info.h" |
| 52 #include "net/base/load_timing_info_test_util.h" | 52 #include "net/base/load_timing_info_test_util.h" |
| 53 #include "net/base/net_errors.h" | 53 #include "net/base/net_errors.h" |
| 54 #include "net/base/net_module.h" | 54 #include "net/base/net_module.h" |
| 55 #include "net/base/request_priority.h" | 55 #include "net/base/request_priority.h" |
| 56 #include "net/base/test_data_directory.h" | 56 #include "net/base/test_data_directory.h" |
| 57 #include "net/base/upload_bytes_element_reader.h" | 57 #include "net/base/upload_bytes_element_reader.h" |
| 58 #include "net/base/upload_data_stream.h" | 58 #include "net/base/upload_data_stream.h" |
| 59 #include "net/base/upload_file_element_reader.h" | 59 #include "net/base/upload_file_element_reader.h" |
| 60 #include "net/base/url_util.h" | 60 #include "net/base/url_util.h" |
| 61 #include "net/cert/ct_policy_enforcer.h" |
| 61 #include "net/cert/ct_policy_status.h" | 62 #include "net/cert/ct_policy_status.h" |
| 62 #include "net/cert/ct_verifier.h" | 63 #include "net/cert/ct_verifier.h" |
| 63 #include "net/cert/ct_verify_result.h" | 64 #include "net/cert/ct_verify_result.h" |
| 64 #include "net/cert/ev_root_ca_metadata.h" | 65 #include "net/cert/ev_root_ca_metadata.h" |
| 65 #include "net/cert/mock_cert_verifier.h" | 66 #include "net/cert/mock_cert_verifier.h" |
| 66 #include "net/cert/test_root_certs.h" | 67 #include "net/cert/test_root_certs.h" |
| 67 #include "net/cert_net/nss_ocsp.h" | 68 #include "net/cert_net/nss_ocsp.h" |
| 68 #include "net/cookies/cookie_monster.h" | 69 #include "net/cookies/cookie_monster.h" |
| 69 #include "net/cookies/cookie_store_test_helpers.h" | 70 #include "net/cookies/cookie_store_test_helpers.h" |
| 70 #include "net/disk_cache/disk_cache.h" | 71 #include "net/disk_cache/disk_cache.h" |
| (...skipping 6413 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6484 // Use a MockHostResolver (which by default maps all hosts to | 6485 // Use a MockHostResolver (which by default maps all hosts to |
| 6485 // 127.0.0.1) so that the request can be sent to a site on the Expect | 6486 // 127.0.0.1) so that the request can be sent to a site on the Expect |
| 6486 // CT preload list. | 6487 // CT preload list. |
| 6487 MockHostResolver host_resolver; | 6488 MockHostResolver host_resolver; |
| 6488 TestURLRequestContext context(true); | 6489 TestURLRequestContext context(true); |
| 6489 context.set_host_resolver(&host_resolver); | 6490 context.set_host_resolver(&host_resolver); |
| 6490 context.set_transport_security_state(&transport_security_state); | 6491 context.set_transport_security_state(&transport_security_state); |
| 6491 context.set_network_delegate(&network_delegate); | 6492 context.set_network_delegate(&network_delegate); |
| 6492 context.set_cert_verifier(&cert_verifier); | 6493 context.set_cert_verifier(&cert_verifier); |
| 6493 context.set_cert_transparency_verifier(&ct_verifier); | 6494 context.set_cert_transparency_verifier(&ct_verifier); |
| 6494 context.set_ct_policy_enforcer(&ct_policy_enforcer); | 6495 context.set_ct_policy_enforcer(std::move(&ct_policy_enforcer)); |
| 6495 context.Init(); | 6496 context.Init(); |
| 6496 | 6497 |
| 6497 // Now send a request to trigger the violation. | 6498 // Now send a request to trigger the violation. |
| 6498 TestDelegate d; | 6499 TestDelegate d; |
| 6499 GURL url = https_test_server.GetURL("/expect-ct-header.html"); | 6500 GURL url = https_test_server.GetURL("/expect-ct-header.html"); |
| 6500 GURL::Replacements replace_host; | 6501 GURL::Replacements replace_host; |
| 6501 replace_host.SetHostStr(kExpectCTStaticHostname); | 6502 replace_host.SetHostStr(kExpectCTStaticHostname); |
| 6502 url = url.ReplaceComponents(replace_host); | 6503 url = url.ReplaceComponents(replace_host); |
| 6503 std::unique_ptr<URLRequest> violating_request( | 6504 std::unique_ptr<URLRequest> violating_request( |
| 6504 context.CreateRequest(url, DEFAULT_PRIORITY, &d)); | 6505 context.CreateRequest(url, DEFAULT_PRIORITY, &d)); |
| (...skipping 2325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8830 base::RunLoop().Run(); | 8831 base::RunLoop().Run(); |
| 8831 | 8832 |
| 8832 EXPECT_EQ(1, d.response_started_count()); | 8833 EXPECT_EQ(1, d.response_started_count()); |
| 8833 } | 8834 } |
| 8834 | 8835 |
| 8835 // Now create a new HttpCache with a different ssl_session_cache_shard value. | 8836 // Now create a new HttpCache with a different ssl_session_cache_shard value. |
| 8836 HttpNetworkSession::Params params; | 8837 HttpNetworkSession::Params params; |
| 8837 params.host_resolver = default_context_.host_resolver(); | 8838 params.host_resolver = default_context_.host_resolver(); |
| 8838 params.cert_verifier = default_context_.cert_verifier(); | 8839 params.cert_verifier = default_context_.cert_verifier(); |
| 8839 params.transport_security_state = default_context_.transport_security_state(); | 8840 params.transport_security_state = default_context_.transport_security_state(); |
| 8841 params.cert_transparency_verifier = |
| 8842 default_context_.cert_transparency_verifier(); |
| 8843 params.ct_policy_enforcer = default_context_.ct_policy_enforcer(); |
| 8840 params.proxy_service = default_context_.proxy_service(); | 8844 params.proxy_service = default_context_.proxy_service(); |
| 8841 params.ssl_config_service = default_context_.ssl_config_service(); | 8845 params.ssl_config_service = default_context_.ssl_config_service(); |
| 8842 params.http_auth_handler_factory = | 8846 params.http_auth_handler_factory = |
| 8843 default_context_.http_auth_handler_factory(); | 8847 default_context_.http_auth_handler_factory(); |
| 8844 params.http_server_properties = default_context_.http_server_properties(); | 8848 params.http_server_properties = default_context_.http_server_properties(); |
| 8845 | 8849 |
| 8846 HttpNetworkSession network_session(params); | 8850 HttpNetworkSession network_session(params); |
| 8847 std::unique_ptr<HttpCache> cache(new HttpCache( | 8851 std::unique_ptr<HttpCache> cache(new HttpCache( |
| 8848 &network_session, HttpCache::DefaultBackend::InMemory(0), false)); | 8852 &network_session, HttpCache::DefaultBackend::InMemory(0), false)); |
| 8849 | 8853 |
| (...skipping 369 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9219 public: | 9223 public: |
| 9220 HTTPSOCSPTest() | 9224 HTTPSOCSPTest() |
| 9221 : context_(true), | 9225 : context_(true), |
| 9222 ev_test_policy_( | 9226 ev_test_policy_( |
| 9223 new ScopedTestEVPolicy(EVRootCAMetadata::GetInstance(), | 9227 new ScopedTestEVPolicy(EVRootCAMetadata::GetInstance(), |
| 9224 kOCSPTestCertFingerprint, | 9228 kOCSPTestCertFingerprint, |
| 9225 kOCSPTestCertPolicy)) { | 9229 kOCSPTestCertPolicy)) { |
| 9226 } | 9230 } |
| 9227 | 9231 |
| 9228 void SetUp() override { | 9232 void SetUp() override { |
| 9229 SetupContext(&context_); | 9233 context_.SetCTPolicyEnforcer( |
| 9234 base::MakeUnique<AllowAnyCertCTPolicyEnforcer>()); |
| 9235 SetupContext(); |
| 9230 context_.Init(); | 9236 context_.Init(); |
| 9231 | 9237 |
| 9232 scoped_refptr<X509Certificate> root_cert = | 9238 scoped_refptr<X509Certificate> root_cert = |
| 9233 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); | 9239 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); |
| 9234 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 9240 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 9235 test_root_.reset(new ScopedTestRoot(root_cert.get())); | 9241 test_root_.reset(new ScopedTestRoot(root_cert.get())); |
| 9236 | 9242 |
| 9237 #if defined(USE_NSS_CERTS) | 9243 #if defined(USE_NSS_CERTS) |
| 9238 SetURLRequestContextForNSSHttpIO(&context_); | 9244 SetURLRequestContextForNSSHttpIO(&context_); |
| 9239 EnsureNSSHttpIOInit(); | 9245 EnsureNSSHttpIOInit(); |
| (...skipping 22 matching lines...) Expand all Loading... |
| 9262 *out_cert_status = r->ssl_info().cert_status; | 9268 *out_cert_status = r->ssl_info().cert_status; |
| 9263 } | 9269 } |
| 9264 | 9270 |
| 9265 ~HTTPSOCSPTest() override { | 9271 ~HTTPSOCSPTest() override { |
| 9266 #if defined(USE_NSS_CERTS) | 9272 #if defined(USE_NSS_CERTS) |
| 9267 ShutdownNSSHttpIO(); | 9273 ShutdownNSSHttpIO(); |
| 9268 #endif | 9274 #endif |
| 9269 } | 9275 } |
| 9270 | 9276 |
| 9271 protected: | 9277 protected: |
| 9278 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { |
| 9279 public: |
| 9280 AllowAnyCertCTPolicyEnforcer() = default; |
| 9281 ~AllowAnyCertCTPolicyEnforcer() override = default; |
| 9282 |
| 9283 ct::CertPolicyCompliance DoesConformToCertPolicy( |
| 9284 X509Certificate* cert, |
| 9285 const SCTList& verified_scts, |
| 9286 const BoundNetLog& net_log) override { |
| 9287 return ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; |
| 9288 } |
| 9289 |
| 9290 ct::EVPolicyCompliance DoesConformToCTEVPolicy( |
| 9291 X509Certificate* cert, |
| 9292 const ct::EVCertsWhitelist* ev_whitelist, |
| 9293 const SCTList& verified_scts, |
| 9294 const BoundNetLog& net_log) override { |
| 9295 return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS; |
| 9296 } |
| 9297 }; |
| 9272 // SetupContext configures the URLRequestContext that will be used for making | 9298 // SetupContext configures the URLRequestContext that will be used for making |
| 9273 // connetions to testserver. This can be overridden in test subclasses for | 9299 // connetions to testserver. This can be overridden in test subclasses for |
| 9274 // different behaviour. | 9300 // different behaviour. |
| 9275 virtual void SetupContext(URLRequestContext* context) { | 9301 virtual void SetupContext() { |
| 9276 context->set_ssl_config_service(new TestSSLConfigService( | 9302 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9277 true /* check for EV */, true /* online revocation checking */, | 9303 true /* check for EV */, true /* online revocation checking */, |
| 9278 false /* require rev. checking for local | 9304 false /* require rev. checking for local |
| 9279 anchors */, | 9305 anchors */, |
| 9280 false /* token binding enabled */)); | 9306 false /* token binding enabled */)); |
| 9281 } | 9307 } |
| 9282 | 9308 |
| 9283 std::unique_ptr<ScopedTestRoot> test_root_; | 9309 std::unique_ptr<ScopedTestRoot> test_root_; |
| 9284 TestURLRequestContext context_; | 9310 TestURLRequestContext context_; |
| 9285 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; | 9311 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; |
| 9286 }; | 9312 }; |
| (...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9453 CertStatus cert_status; | 9479 CertStatus cert_status; |
| 9454 DoConnection(ssl_options, &cert_status); | 9480 DoConnection(ssl_options, &cert_status); |
| 9455 | 9481 |
| 9456 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9482 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9457 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9483 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9458 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9484 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9459 } | 9485 } |
| 9460 | 9486 |
| 9461 class HTTPSHardFailTest : public HTTPSOCSPTest { | 9487 class HTTPSHardFailTest : public HTTPSOCSPTest { |
| 9462 protected: | 9488 protected: |
| 9463 void SetupContext(URLRequestContext* context) override { | 9489 void SetupContext() override { |
| 9464 context->set_ssl_config_service(new TestSSLConfigService( | 9490 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9465 false /* check for EV */, false /* online revocation checking */, | 9491 false /* check for EV */, false /* online revocation checking */, |
| 9466 true /* require rev. checking for local | 9492 true /* require rev. checking for local |
| 9467 anchors */, | 9493 anchors */, |
| 9468 false /* token binding enabled */)); | 9494 false /* token binding enabled */)); |
| 9469 } | 9495 } |
| 9470 }; | 9496 }; |
| 9471 | 9497 |
| 9472 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { | 9498 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { |
| 9473 if (!SystemSupportsOCSP()) { | 9499 if (!SystemSupportsOCSP()) { |
| 9474 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9500 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 15 matching lines...) Expand all Loading... |
| 9490 | 9516 |
| 9491 EXPECT_EQ(CERT_STATUS_REVOKED, | 9517 EXPECT_EQ(CERT_STATUS_REVOKED, |
| 9492 cert_status & CERT_STATUS_REVOKED); | 9518 cert_status & CERT_STATUS_REVOKED); |
| 9493 | 9519 |
| 9494 // Without a positive OCSP response, we shouldn't show the EV status. | 9520 // Without a positive OCSP response, we shouldn't show the EV status. |
| 9495 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9521 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9496 } | 9522 } |
| 9497 | 9523 |
| 9498 class HTTPSEVCRLSetTest : public HTTPSOCSPTest { | 9524 class HTTPSEVCRLSetTest : public HTTPSOCSPTest { |
| 9499 protected: | 9525 protected: |
| 9500 void SetupContext(URLRequestContext* context) override { | 9526 void SetupContext() override { |
| 9501 context->set_ssl_config_service(new TestSSLConfigService( | 9527 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9502 true /* check for EV */, false /* online revocation checking */, | 9528 true /* check for EV */, false /* online revocation checking */, |
| 9503 false /* require rev. checking for local | 9529 false /* require rev. checking for local |
| 9504 anchors */, | 9530 anchors */, |
| 9505 false /* token binding enabled */)); | 9531 false /* token binding enabled */)); |
| 9506 } | 9532 } |
| 9507 }; | 9533 }; |
| 9508 | 9534 |
| 9509 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { | 9535 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { |
| 9510 if (!SystemSupportsOCSP()) { | 9536 if (!SystemSupportsOCSP()) { |
| 9511 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9537 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9675 DoConnection(ssl_options, &cert_status); | 9701 DoConnection(ssl_options, &cert_status); |
| 9676 | 9702 |
| 9677 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 9703 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9678 | 9704 |
| 9679 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9705 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9680 EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9706 EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9681 } | 9707 } |
| 9682 | 9708 |
| 9683 class HTTPSCRLSetTest : public HTTPSOCSPTest { | 9709 class HTTPSCRLSetTest : public HTTPSOCSPTest { |
| 9684 protected: | 9710 protected: |
| 9685 void SetupContext(URLRequestContext* context) override { | 9711 void SetupContext() override { |
| 9686 context->set_ssl_config_service(new TestSSLConfigService( | 9712 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9687 false /* check for EV */, false /* online revocation checking */, | 9713 false /* check for EV */, false /* online revocation checking */, |
| 9688 false /* require rev. checking for local | 9714 false /* require rev. checking for local |
| 9689 anchors */, | 9715 anchors */, |
| 9690 false /* token binding enabled */)); | 9716 false /* token binding enabled */)); |
| 9691 } | 9717 } |
| 9692 }; | 9718 }; |
| 9693 | 9719 |
| 9694 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { | 9720 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { |
| 9695 SpawnedTestServer::SSLOptions ssl_options( | 9721 SpawnedTestServer::SSLOptions ssl_options( |
| 9696 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9722 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| (...skipping 424 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10121 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10147 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 10122 | 10148 |
| 10123 req->Start(); | 10149 req->Start(); |
| 10124 req->Cancel(); | 10150 req->Cancel(); |
| 10125 base::RunLoop().RunUntilIdle(); | 10151 base::RunLoop().RunUntilIdle(); |
| 10126 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 10152 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 10127 EXPECT_EQ(0, d.received_redirect_count()); | 10153 EXPECT_EQ(0, d.received_redirect_count()); |
| 10128 } | 10154 } |
| 10129 | 10155 |
| 10130 } // namespace net | 10156 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2067843003:
Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master