| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "net/cert/cert_verify_result.h" | 26 #include "net/cert/cert_verify_result.h" |
| 27 #include "net/cert/ct_policy_status.h" | 27 #include "net/cert/ct_policy_status.h" |
| 28 #include "net/cert/test_root_certs.h" | 28 #include "net/cert/test_root_certs.h" |
| 29 #include "net/cert/x509_cert_types.h" | 29 #include "net/cert/x509_cert_types.h" |
| 30 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
| 31 #include "net/http/http_util.h" | 31 #include "net/http/http_util.h" |
| 32 #include "net/log/net_log.h" | 32 #include "net/log/net_log.h" |
| 33 #include "net/ssl/ssl_info.h" | 33 #include "net/ssl/ssl_info.h" |
| 34 #include "net/test/cert_test_util.h" | 34 #include "net/test/cert_test_util.h" |
| 35 #include "net/test/test_data_directory.h" | 35 #include "net/test/test_data_directory.h" |
| 36 #include "testing/gmock/include/gmock/gmock.h" |
| 36 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
| 37 | 38 |
| 38 namespace net { | 39 namespace net { |
| 39 | 40 |
| 40 namespace { | 41 namespace { |
| 41 | 42 |
| 42 const char kHost[] = "example.test"; | 43 const char kHost[] = "example.test"; |
| 43 const char kSubdomain[] = "foo.example.test"; | 44 const char kSubdomain[] = "foo.example.test"; |
| 44 const uint16_t kPort = 443; | 45 const uint16_t kPort = 443; |
| 45 const char kReportUri[] = "http://report-example.test/test"; | 46 const char kReportUri[] = "http://report-example.test/test"; |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 153 const SSLInfo& ssl_info() { return ssl_info_; } | 154 const SSLInfo& ssl_info() { return ssl_info_; } |
| 154 uint32_t num_failures() { return num_failures_; } | 155 uint32_t num_failures() { return num_failures_; } |
| 155 | 156 |
| 156 private: | 157 private: |
| 157 HostPortPair host_port_pair_; | 158 HostPortPair host_port_pair_; |
| 158 GURL report_uri_; | 159 GURL report_uri_; |
| 159 SSLInfo ssl_info_; | 160 SSLInfo ssl_info_; |
| 160 uint32_t num_failures_; | 161 uint32_t num_failures_; |
| 161 }; | 162 }; |
| 162 | 163 |
| 164 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
| 165 public: |
| 166 MOCK_METHOD1(IsCTRequiredForHost, |
| 167 CTRequirementLevel(const std::string& hostname)); |
| 168 }; |
| 169 |
| 163 void CompareCertificateChainWithList( | 170 void CompareCertificateChainWithList( |
| 164 const scoped_refptr<X509Certificate>& cert_chain, | 171 const scoped_refptr<X509Certificate>& cert_chain, |
| 165 const base::ListValue* cert_list) { | 172 const base::ListValue* cert_list) { |
| 166 ASSERT_TRUE(cert_chain); | 173 ASSERT_TRUE(cert_chain); |
| 167 std::vector<std::string> pem_encoded_chain; | 174 std::vector<std::string> pem_encoded_chain; |
| 168 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); | 175 cert_chain->GetPEMEncodedChain(&pem_encoded_chain); |
| 169 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); | 176 EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize()); |
| 170 | 177 |
| 171 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { | 178 for (size_t i = 0; i < pem_encoded_chain.size(); i++) { |
| 172 std::string list_cert; | 179 std::string list_cert; |
| (...skipping 1703 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1876 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 1883 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
| 1877 EXPECT_EQ(1u, reporter.num_failures()); | 1884 EXPECT_EQ(1u, reporter.num_failures()); |
| 1878 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | 1885 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); |
| 1879 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | 1886 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, |
| 1880 reporter.ssl_info().ct_cert_policy_compliance); | 1887 reporter.ssl_info().ct_cert_policy_compliance); |
| 1881 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 1888 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
| 1882 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 1889 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 1883 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 1890 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 1884 } | 1891 } |
| 1885 | 1892 |
| 1893 // Tests that TransportSecurityState always consults the RequireCTDelegate, |
| 1894 // if supplied. |
| 1895 TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) { |
| 1896 using ::testing::_; |
| 1897 using ::testing::Return; |
| 1898 using CTRequirementLevel = |
| 1899 TransportSecurityState::RequireCTDelegate::CTRequirementLevel; |
| 1900 |
| 1901 // Dummy cert to use as the validate chain. The contents do not matter. |
| 1902 scoped_refptr<X509Certificate> cert = |
| 1903 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 1904 ASSERT_TRUE(cert); |
| 1905 |
| 1906 HashValueVector hashes; |
| 1907 hashes.push_back(HashValue( |
| 1908 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); |
| 1909 |
| 1910 { |
| 1911 TransportSecurityState state; |
| 1912 bool original_status = |
| 1913 state.ShouldRequireCT("www.example.com", cert.get(), hashes); |
| 1914 |
| 1915 MockRequireCTDelegate always_require_delegate; |
| 1916 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
| 1917 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
| 1918 state.SetRequireCTDelegate(&always_require_delegate); |
| 1919 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1920 |
| 1921 state.SetRequireCTDelegate(nullptr); |
| 1922 EXPECT_EQ(original_status, |
| 1923 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1924 } |
| 1925 |
| 1926 { |
| 1927 TransportSecurityState state; |
| 1928 bool original_status = |
| 1929 state.ShouldRequireCT("www.example.com", cert.get(), hashes); |
| 1930 |
| 1931 MockRequireCTDelegate never_require_delegate; |
| 1932 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) |
| 1933 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); |
| 1934 state.SetRequireCTDelegate(&never_require_delegate); |
| 1935 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1936 |
| 1937 state.SetRequireCTDelegate(nullptr); |
| 1938 EXPECT_EQ(original_status, |
| 1939 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1940 } |
| 1941 |
| 1942 { |
| 1943 TransportSecurityState state; |
| 1944 bool original_status = |
| 1945 state.ShouldRequireCT("www.example.com", cert.get(), hashes); |
| 1946 |
| 1947 MockRequireCTDelegate default_require_ct_delegate; |
| 1948 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) |
| 1949 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); |
| 1950 state.SetRequireCTDelegate(&default_require_ct_delegate); |
| 1951 EXPECT_EQ(original_status, |
| 1952 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1953 |
| 1954 state.SetRequireCTDelegate(nullptr); |
| 1955 EXPECT_EQ(original_status, |
| 1956 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); |
| 1957 } |
| 1958 } |
| 1959 |
| 1886 } // namespace net | 1960 } // namespace net |
| OLD | NEW |