Introduce the ability to require CT for specific hosts

net/quic/crypto/proof_verifier_chromium_test.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_serialization.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
 #include "net/http/transport_security_state.h"
 #include "net/quic/crypto/proof_verifier.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/ct_test_util.h"
 #include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+using ::testing::_;
+using ::testing::Return;
+
 namespace net {
 namespace test {
 
 namespace {
 
 // CertVerifier that will fail the test if it is ever called.
 class FailsTestCertVerifier : public CertVerifier {
  public:
   FailsTestCertVerifier() {}
   ~FailsTestCertVerifier() override {}
@@ skipping 20 matching lines @@
       X509Certificate* cert,
       const ct::EVCertsWhitelist* ev_whitelist,
       const ct::SCTList& verified_scts,
       const BoundNetLog& net_log) override {
     ADD_FAILURE() << "CTPolicyEnforcer::DoesConformToCTEVPolicy() should "
                   << "not be called";
     return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
   }
 };
 
-// CTPolicyEnforcer that can simulate whether or not a given certificate
-// conforms to the CT/EV policy.
+// A mock CTPolicyEnforcer that returns a custom verification result.
 class MockCTPolicyEnforcer : public CTPolicyEnforcer {
  public:
-  explicit MockCTPolicyEnforcer(bool is_ev) : is_ev_(is_ev) {}
-  ~MockCTPolicyEnforcer() override {}
+  MOCK_METHOD3(DoesConformToCertPolicy,
+               ct::CertPolicyCompliance(X509Certificate* cert,
+                                        const ct::SCTList&,
+                                        const BoundNetLog&));
+  MOCK_METHOD4(DoesConformToCTEVPolicy,
+               ct::EVPolicyCompliance(X509Certificate* cert,
+                                      const ct::EVCertsWhitelist*,
+                                      const ct::SCTList&,
+                                      const BoundNetLog&));
+};
 
-  ct::EVPolicyCompliance DoesConformToCTEVPolicy(
-      X509Certificate* cert,
-      const ct::EVCertsWhitelist* ev_whitelist,
-      const ct::SCTList& verified_scts,
-      const BoundNetLog& net_log) override {
-    return is_ev_ ? ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS
-                  : ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS;
-  }
-
- private:
-  bool is_ev_;
+class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
+ public:
+  MOCK_METHOD1(IsCTRequiredForHost,
+               CTRequirementLevel(const std::string& host));
 };
 
 class DummyProofVerifierCallback : public ProofVerifierCallback {
  public:
   DummyProofVerifierCallback() {}
   ~DummyProofVerifierCallback() override {}
 
   void Run(bool ok,
            const std::string& error_details,
            std::unique_ptr<ProofVerifyDetails>* details) override {
     // Do nothing
   }
 };
 
 const char kTestHostname[] = "test.example.com";
 const uint16_t kTestPort = 8443;
 const char kTestConfig[] = "server config bytes";
 const char kLogDescription[] = "somelog";
 
 }  // namespace
 
 class ProofVerifierChromiumTest : public ::testing::Test {
  public:
   ProofVerifierChromiumTest()
-      : ct_policy_enforcer_(false /*is_ev*/),
-        verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/,
+      : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/,
                                                        BoundNetLog())) {}
 
   void SetUp() override {
+    EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _))
+        .WillRepeatedly(
+            Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
+    EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _))
+        .WillRepeatedly(
+            Return(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY));
+
     scoped_refptr<const CTLogVerifier> log(CTLogVerifier::Create(
         ct::GetTestPublicKey(), kLogDescription, "https://test.example.com"));
     ASSERT_TRUE(log);
     log_verifiers_.push_back(log);
 
     ct_verifier_.reset(new MultiLogCTVerifier());
     ct_verifier_->AddLogs(log_verifiers_);
 
     ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs_));
   }
@@ skipping 169 matching lines @@
   scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
   ASSERT_TRUE(test_cert);
 
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = CERT_STATUS_IS_EV;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
-  MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/);
+  EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _))
+      .WillRepeatedly(
+          Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS));
 
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_,
                                        ct_verifier_.get());
 
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
       GetTestSignature(), verify_context_.get(), &error_details_, &details_,
       callback.get());
   ASSERT_EQ(QUIC_SUCCESS, status);
@@ skipping 11 matching lines @@
   scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
   ASSERT_TRUE(test_cert);
 
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = CERT_STATUS_IS_EV;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
-  MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/);
+  EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _))
+      .WillRepeatedly(
+          Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS));
 
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_,
                                        ct_verifier_.get());
 
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
       GetTestSignature(), verify_context_.get(), &error_details_, &details_,
       callback.get());
   ASSERT_EQ(QUIC_SUCCESS, status);
@@ skipping 55 matching lines @@
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.is_issued_by_known_root = true;
   dummy_result.public_key_hashes = MakeHashValueVector(0x01);
   dummy_result.cert_status = 0;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
   HashValueVector pin_hashes = MakeHashValueVector(0x02);
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHPKP(
+  transport_security_state_.AddHPKP(
       kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),
       true, pin_hashes, GURL());
 
-  MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/);
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
-                                       &transport_security_state,
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
+                                       &transport_security_state_,
                                        ct_verifier_.get());
 
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
       GetTestSignature(), verify_context_.get(), &error_details_, &details_,
       callback.get());
   ASSERT_EQ(QUIC_FAILURE, status);
 
@@ skipping 15 matching lines @@
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.is_issued_by_known_root = false;
   dummy_result.public_key_hashes = MakeHashValueVector(0x01);
   dummy_result.cert_status = 0;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
   HashValueVector expected_hashes = MakeHashValueVector(0x02);
-  TransportSecurityState transport_security_state_fail;
-  transport_security_state_fail.AddHPKP(
+  transport_security_state_.AddHPKP(
       kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),
       true, expected_hashes, GURL());
 
-  MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/);
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
-                                       &transport_security_state_fail,
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
+                                       &transport_security_state_,
                                        ct_verifier_.get());
 
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
       GetTestSignature(), verify_context_.get(), &error_details_, &details_,
       callback.get());
   ASSERT_EQ(QUIC_SUCCESS, status);
 
   ASSERT_TRUE(details_.get());
   ProofVerifyDetailsChromium* verify_details =
       static_cast<ProofVerifyDetailsChromium*>(details_.get());
   EXPECT_TRUE(verify_details->pkp_bypassed);
 }
 
+// Test that when CT is required (in this case, by the delegate), the
+// absence of CT information is a socket error.
+TEST_F(ProofVerifierChromiumTest, CTIsRequired) {
+  scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
+  ASSERT_TRUE(test_cert);
+
+  CertVerifyResult dummy_result;
+  dummy_result.verified_cert = test_cert;
+  dummy_result.is_issued_by_known_root = true;
+  dummy_result.public_key_hashes = MakeHashValueVector(0x01);
+  dummy_result.cert_status = 0;
+
+  MockCertVerifier dummy_verifier;
+  dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
+
+  // Set up CT.
+  MockRequireCTDelegate require_ct_delegate;
+  transport_security_state_.SetRequireCTDelegate(&require_ct_delegate);
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_))
+      .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
+                                 CTRequirementLevel::NOT_REQUIRED));
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kTestHostname))
+      .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
+                                 CTRequirementLevel::REQUIRED));
+  EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _))
+      .WillRepeatedly(
+          Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
+
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
+                                       &transport_security_state_,
+                                       ct_verifier_.get());
+
+  std::unique_ptr<DummyProofVerifierCallback> callback(
+      new DummyProofVerifierCallback);
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
+      GetTestSignature(), verify_context_.get(), &error_details_, &details_,
+      callback.get());
+  ASSERT_EQ(QUIC_FAILURE, status);
+
+  ASSERT_TRUE(details_.get());
+  ProofVerifyDetailsChromium* verify_details =
+      static_cast<ProofVerifyDetailsChromium*>(details_.get());
+  EXPECT_TRUE(verify_details->cert_verify_result.cert_status &
+              CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
+}
+
+// Test that CT is considered even when HPKP fails.
+TEST_F(ProofVerifierChromiumTest, PKPAndCTBothTested) {
+  scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
+  ASSERT_TRUE(test_cert);
+
+  CertVerifyResult dummy_result;
+  dummy_result.verified_cert = test_cert;
+  dummy_result.is_issued_by_known_root = true;
+  dummy_result.public_key_hashes = MakeHashValueVector(0x01);
+  dummy_result.cert_status = 0;
+
+  MockCertVerifier dummy_verifier;
+  dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
+
+  // Set up HPKP.
+  HashValueVector pin_hashes = MakeHashValueVector(0x02);
+  transport_security_state_.AddHPKP(
+      kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000),
+      true, pin_hashes, GURL());
+
+  // Set up CT.
+  MockRequireCTDelegate require_ct_delegate;
+  transport_security_state_.SetRequireCTDelegate(&require_ct_delegate);
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_))
+      .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
+                                 CTRequirementLevel::NOT_REQUIRED));
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kTestHostname))
+      .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
+                                 CTRequirementLevel::REQUIRED));
+  EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _))
+      .WillRepeatedly(
+          Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
+
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
+                                       &transport_security_state_,
+                                       ct_verifier_.get());
+
+  std::unique_ptr<DummyProofVerifierCallback> callback(
+      new DummyProofVerifierCallback);
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "",
+      GetTestSignature(), verify_context_.get(), &error_details_, &details_,
+      callback.get());
+  ASSERT_EQ(QUIC_FAILURE, status);
+
+  ASSERT_TRUE(details_.get());
+  ProofVerifyDetailsChromium* verify_details =
+      static_cast<ProofVerifyDetailsChromium*>(details_.get());
+  EXPECT_TRUE(verify_details->cert_verify_result.cert_status &
+              CERT_STATUS_PINNED_KEY_MISSING);
+  EXPECT_TRUE(verify_details->cert_verify_result.cert_status &
+              CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
+}
+
 }  // namespace test
 }  // namespace net