| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 678 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 689 GURL latest_report_uri_; | 689 GURL latest_report_uri_; |
| 690 std::string latest_report_; | 690 std::string latest_report_; |
| 691 }; | 691 }; |
| 692 | 692 |
| 693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate { | 693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate { |
| 694 public: | 694 public: |
| 695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; } | 695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; } |
| 696 bool OnAreStrictSecureCookiesEnabled() const override { return true; } | 696 bool OnAreStrictSecureCookiesEnabled() const override { return true; } |
| 697 }; | 697 }; |
| 698 | 698 |
| 699 // OCSPErrorTestDelegate caches the SSLInfo passed to OnSSLCertificateError. |
| 700 // This is needed because after the certificate failure, the URLRequest will |
| 701 // retry the connection, and return a partial SSLInfo with a cached cert status. |
| 702 // The partial SSLInfo does not have the OCSP information filled out. |
| 703 class OCSPErrorTestDelegate : public TestDelegate { |
| 704 public: |
| 705 void OnSSLCertificateError(URLRequest* request, |
| 706 const SSLInfo& ssl_info, |
| 707 bool fatal) override { |
| 708 ssl_info_ = ssl_info; |
| 709 on_ssl_certificate_error_called_ = true; |
| 710 TestDelegate::OnSSLCertificateError(request, ssl_info, fatal); |
| 711 } |
| 712 |
| 713 bool on_ssl_certificate_error_called() { |
| 714 return on_ssl_certificate_error_called_; |
| 715 } |
| 716 |
| 717 SSLInfo ssl_info() { return ssl_info_; } |
| 718 |
| 719 private: |
| 720 bool on_ssl_certificate_error_called_ = false; |
| 721 SSLInfo ssl_info_; |
| 722 }; |
| 723 |
| 699 } // namespace | 724 } // namespace |
| 700 | 725 |
| 701 // Inherit PlatformTest since we require the autorelease pool on Mac OS X. | 726 // Inherit PlatformTest since we require the autorelease pool on Mac OS X. |
| 702 class URLRequestTest : public PlatformTest { | 727 class URLRequestTest : public PlatformTest { |
| 703 public: | 728 public: |
| 704 URLRequestTest() : default_context_(true) { | 729 URLRequestTest() : default_context_(true) { |
| 705 default_context_.set_network_delegate(&default_network_delegate_); | 730 default_context_.set_network_delegate(&default_network_delegate_); |
| 706 default_context_.set_net_log(&net_log_); | 731 default_context_.set_net_log(&net_log_); |
| 707 job_factory_impl_ = new URLRequestJobFactoryImpl(); | 732 job_factory_impl_ = new URLRequestJobFactoryImpl(); |
| 708 job_factory_.reset(job_factory_impl_); | 733 job_factory_.reset(job_factory_impl_); |
| (...skipping 8246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8955 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 8980 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 8956 test_root_.reset(new ScopedTestRoot(root_cert.get())); | 8981 test_root_.reset(new ScopedTestRoot(root_cert.get())); |
| 8957 | 8982 |
| 8958 #if defined(USE_NSS_CERTS) | 8983 #if defined(USE_NSS_CERTS) |
| 8959 SetURLRequestContextForNSSHttpIO(&context_); | 8984 SetURLRequestContextForNSSHttpIO(&context_); |
| 8960 EnsureNSSHttpIOInit(); | 8985 EnsureNSSHttpIOInit(); |
| 8961 #endif | 8986 #endif |
| 8962 } | 8987 } |
| 8963 | 8988 |
| 8964 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, | 8989 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, |
| 8965 CertStatus* out_cert_status) { | 8990 TestDelegate* delegate, |
| 8966 // We always overwrite out_cert_status. | 8991 SSLInfo* out_ssl_info) { |
| 8967 *out_cert_status = 0; | 8992 // Always overwrite |out_ssl_info|. |
| 8993 out_ssl_info->Reset(); |
| 8994 |
| 8968 SpawnedTestServer test_server( | 8995 SpawnedTestServer test_server( |
| 8969 SpawnedTestServer::TYPE_HTTPS, | 8996 SpawnedTestServer::TYPE_HTTPS, |
| 8970 ssl_options, | 8997 ssl_options, |
| 8971 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8998 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 8972 ASSERT_TRUE(test_server.Start()); | 8999 ASSERT_TRUE(test_server.Start()); |
| 8973 | 9000 |
| 8974 TestDelegate d; | 9001 delegate->set_allow_certificate_errors(true); |
| 8975 d.set_allow_certificate_errors(true); | 9002 std::unique_ptr<URLRequest> r(context_.CreateRequest( |
| 8976 std::unique_ptr<URLRequest> r( | 9003 test_server.GetURL("/"), DEFAULT_PRIORITY, delegate)); |
| 8977 context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, &d)); | |
| 8978 r->Start(); | 9004 r->Start(); |
| 8979 | 9005 |
| 8980 base::RunLoop().Run(); | 9006 base::RunLoop().Run(); |
| 9007 EXPECT_EQ(1, delegate->response_started_count()); |
| 8981 | 9008 |
| 8982 EXPECT_EQ(1, d.response_started_count()); | 9009 *out_ssl_info = r->ssl_info(); |
| 8983 *out_cert_status = r->ssl_info().cert_status; | 9010 } |
| 9011 |
| 9012 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, |
| 9013 CertStatus* out_cert_status) { |
| 9014 // Always overwrite |out_cert_status|. |
| 9015 *out_cert_status = 0; |
| 9016 |
| 9017 TestDelegate d; |
| 9018 SSLInfo ssl_info; |
| 9019 ASSERT_NO_FATAL_FAILURE(DoConnection(ssl_options, &d, &ssl_info)); |
| 9020 |
| 9021 *out_cert_status = ssl_info.cert_status; |
| 8984 } | 9022 } |
| 8985 | 9023 |
| 8986 ~HTTPSOCSPTest() override { | 9024 ~HTTPSOCSPTest() override { |
| 8987 #if defined(USE_NSS_CERTS) | 9025 #if defined(USE_NSS_CERTS) |
| 8988 ShutdownNSSHttpIO(); | 9026 ShutdownNSSHttpIO(); |
| 8989 #endif | 9027 #endif |
| 8990 } | 9028 } |
| 8991 | 9029 |
| 8992 protected: | 9030 protected: |
| 8993 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { | 9031 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9128 } | 9166 } |
| 9129 | 9167 |
| 9130 TEST_F(HTTPSOCSPTest, Invalid) { | 9168 TEST_F(HTTPSOCSPTest, Invalid) { |
| 9131 if (!SystemSupportsOCSP()) { | 9169 if (!SystemSupportsOCSP()) { |
| 9132 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9170 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9133 return; | 9171 return; |
| 9134 } | 9172 } |
| 9135 | 9173 |
| 9136 SpawnedTestServer::SSLOptions ssl_options( | 9174 SpawnedTestServer::SSLOptions ssl_options( |
| 9137 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9175 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9138 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9176 ssl_options.ocsp_status = |
| 9177 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9139 | 9178 |
| 9140 CertStatus cert_status; | 9179 CertStatus cert_status; |
| 9141 DoConnection(ssl_options, &cert_status); | 9180 DoConnection(ssl_options, &cert_status); |
| 9142 | 9181 |
| 9143 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9182 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9144 cert_status & CERT_STATUS_ALL_ERRORS); | 9183 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9145 | 9184 |
| 9146 // Without a positive OCSP response, we shouldn't show the EV status. | 9185 // Without a positive OCSP response, we shouldn't show the EV status. |
| 9147 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9186 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9148 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9187 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9192 ssl_options.ocsp_server_unavailable = true; | 9231 ssl_options.ocsp_server_unavailable = true; |
| 9193 | 9232 |
| 9194 CertStatus cert_status; | 9233 CertStatus cert_status; |
| 9195 DoConnection(ssl_options, &cert_status); | 9234 DoConnection(ssl_options, &cert_status); |
| 9196 | 9235 |
| 9197 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9236 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9198 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9237 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9199 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9238 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9200 } | 9239 } |
| 9201 | 9240 |
| 9241 static const struct OCSPVerifyTestData { |
| 9242 std::vector<SpawnedTestServer::SSLOptions::SingleResponse> ocsp_responses; |
| 9243 SpawnedTestServer::SSLOptions::OCSPProduced ocsp_produced; |
| 9244 OCSPVerifyResult::ResponseStatus response_status; |
| 9245 bool has_cert_status; |
| 9246 OCSPRevocationStatus cert_status; |
| 9247 } kOCSPVerifyData[] = { |
| 9248 |
| 9249 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9250 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9251 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9252 OCSPVerifyResult::PROVIDED, |
| 9253 true, |
| 9254 OCSPRevocationStatus::GOOD}, |
| 9255 |
| 9256 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9257 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9258 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9259 OCSPVerifyResult::INVALID_DATE, |
| 9260 false, |
| 9261 OCSPRevocationStatus::UNKNOWN}, |
| 9262 |
| 9263 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9264 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9265 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9266 OCSPVerifyResult::INVALID_DATE, |
| 9267 false, |
| 9268 OCSPRevocationStatus::UNKNOWN}, |
| 9269 |
| 9270 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9271 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9272 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9273 OCSPVerifyResult::INVALID_DATE, |
| 9274 false, |
| 9275 OCSPRevocationStatus::UNKNOWN}, |
| 9276 |
| 9277 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9278 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9279 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9280 OCSPVerifyResult::INVALID_DATE, |
| 9281 false, |
| 9282 OCSPRevocationStatus::UNKNOWN}, |
| 9283 |
| 9284 {{{SpawnedTestServer::SSLOptions::OCSP_TRY_LATER, |
| 9285 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9286 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9287 OCSPVerifyResult::BAD_RESPONSE, |
| 9288 false, |
| 9289 OCSPRevocationStatus::UNKNOWN}, |
| 9290 |
| 9291 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE, |
| 9292 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9293 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9294 OCSPVerifyResult::PARSE_RESPONSE, |
| 9295 false, |
| 9296 OCSPRevocationStatus::UNKNOWN}, |
| 9297 |
| 9298 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE_DATA, |
| 9299 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9300 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9301 OCSPVerifyResult::PARSE_RESPONSE_DATA, |
| 9302 false, |
| 9303 OCSPRevocationStatus::UNKNOWN}, |
| 9304 |
| 9305 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9306 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9307 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9308 OCSPVerifyResult::INVALID_DATE, |
| 9309 false, |
| 9310 OCSPRevocationStatus::UNKNOWN}, |
| 9311 |
| 9312 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9313 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9314 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9315 OCSPVerifyResult::PROVIDED, |
| 9316 true, |
| 9317 OCSPRevocationStatus::UNKNOWN}, |
| 9318 |
| 9319 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9320 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9321 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9322 OCSPVerifyResult::INVALID_DATE, |
| 9323 false, |
| 9324 OCSPRevocationStatus::UNKNOWN}, |
| 9325 |
| 9326 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9327 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9328 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9329 OCSPVerifyResult::INVALID_DATE, |
| 9330 false, |
| 9331 OCSPRevocationStatus::UNKNOWN}, |
| 9332 |
| 9333 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9334 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9335 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_BEFORE_CERT, |
| 9336 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9337 false, |
| 9338 OCSPRevocationStatus::UNKNOWN}, |
| 9339 |
| 9340 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9341 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9342 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT, |
| 9343 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9344 false, |
| 9345 OCSPRevocationStatus::UNKNOWN}, |
| 9346 |
| 9347 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9348 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9349 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT, |
| 9350 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9351 false, |
| 9352 OCSPRevocationStatus::UNKNOWN}, |
| 9353 |
| 9354 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9355 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9356 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9357 OCSPVerifyResult::PROVIDED, |
| 9358 true, |
| 9359 OCSPRevocationStatus::REVOKED}, |
| 9360 |
| 9361 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9362 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9363 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9364 OCSPVerifyResult::INVALID_DATE, |
| 9365 false, |
| 9366 OCSPRevocationStatus::UNKNOWN}, |
| 9367 |
| 9368 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9369 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9370 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9371 OCSPVerifyResult::INVALID_DATE, |
| 9372 false, |
| 9373 OCSPRevocationStatus::UNKNOWN}, |
| 9374 |
| 9375 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9376 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9377 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9378 OCSPVerifyResult::PROVIDED, |
| 9379 true, |
| 9380 OCSPRevocationStatus::GOOD}, |
| 9381 |
| 9382 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9383 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}, |
| 9384 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9385 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9386 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9387 OCSPVerifyResult::PROVIDED, |
| 9388 true, |
| 9389 OCSPRevocationStatus::GOOD}, |
| 9390 |
| 9391 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9392 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}, |
| 9393 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9394 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9395 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9396 OCSPVerifyResult::PROVIDED, |
| 9397 true, |
| 9398 OCSPRevocationStatus::GOOD}, |
| 9399 |
| 9400 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9401 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}, |
| 9402 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9403 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9404 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9405 OCSPVerifyResult::PROVIDED, |
| 9406 true, |
| 9407 OCSPRevocationStatus::GOOD}, |
| 9408 |
| 9409 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9410 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}, |
| 9411 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9412 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}, |
| 9413 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9414 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9415 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9416 OCSPVerifyResult::INVALID_DATE, |
| 9417 false, |
| 9418 OCSPRevocationStatus::UNKNOWN}, |
| 9419 |
| 9420 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9421 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9422 {SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9423 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9424 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9425 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9426 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9427 OCSPVerifyResult::PROVIDED, |
| 9428 true, |
| 9429 OCSPRevocationStatus::REVOKED}, |
| 9430 |
| 9431 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9432 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9433 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9434 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9435 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9436 OCSPVerifyResult::PROVIDED, |
| 9437 true, |
| 9438 OCSPRevocationStatus::UNKNOWN}, |
| 9439 |
| 9440 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9441 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9442 {SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9443 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}, |
| 9444 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9445 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9446 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9447 OCSPVerifyResult::PROVIDED, |
| 9448 true, |
| 9449 OCSPRevocationStatus::UNKNOWN}, |
| 9450 |
| 9451 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL, |
| 9452 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9453 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9454 OCSPVerifyResult::NO_MATCHING_RESPONSE, |
| 9455 false, |
| 9456 OCSPRevocationStatus::UNKNOWN}, |
| 9457 |
| 9458 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL, |
| 9459 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9460 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9461 OCSPVerifyResult::NO_MATCHING_RESPONSE, |
| 9462 false, |
| 9463 OCSPRevocationStatus::UNKNOWN}, |
| 9464 |
| 9465 }; |
| 9466 |
| 9467 class HTTPSOCSPVerifyTest |
| 9468 : public HTTPSOCSPTest, |
| 9469 public testing::WithParamInterface<OCSPVerifyTestData> { |
| 9470 public: |
| 9471 HTTPSOCSPVerifyTest() = default; |
| 9472 virtual ~HTTPSOCSPVerifyTest() {} |
| 9473 }; |
| 9474 |
| 9475 TEST_P(HTTPSOCSPVerifyTest, VerifyResult) { |
| 9476 SpawnedTestServer::SSLOptions ssl_options( |
| 9477 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9478 OCSPVerifyTestData test = GetParam(); |
| 9479 |
| 9480 ssl_options.ocsp_responses = test.ocsp_responses; |
| 9481 ssl_options.ocsp_produced = test.ocsp_produced; |
| 9482 ssl_options.staple_ocsp_response = true; |
| 9483 |
| 9484 SSLInfo ssl_info; |
| 9485 OCSPErrorTestDelegate delegate; |
| 9486 ASSERT_NO_FATAL_FAILURE(DoConnection(ssl_options, &delegate, &ssl_info)); |
| 9487 |
| 9488 // The actual CERT_STATUS is determined by the platform-specific |
| 9489 // CertVerifyProc implementations. The internal Chrome OCSP implementation |
| 9490 // doesn't affect the final certificate status, and so this test only checks |
| 9491 // that if there is an error, the error was due to revocation. The SSLInfo |
| 9492 // must be extracted from |delegate| on error, due to how URLRequest caches |
| 9493 // certificate errors. |
| 9494 if (delegate.have_certificate_errors()) { |
| 9495 ASSERT_TRUE(delegate.on_ssl_certificate_error_called()); |
| 9496 ssl_info = delegate.ssl_info(); |
| 9497 EXPECT_EQ(CERT_STATUS_REVOKED, ssl_info.cert_status & CERT_STATUS_REVOKED); |
| 9498 } else { |
| 9499 EXPECT_EQ(0u, ssl_info.cert_status & CERT_STATUS_ALL_ERRORS); |
| 9500 } |
| 9501 |
| 9502 EXPECT_EQ(test.response_status, ssl_info.ocsp.response_status); |
| 9503 |
| 9504 if (test.has_cert_status) { |
| 9505 ASSERT_TRUE(ssl_info.ocsp.cert_status); |
| 9506 EXPECT_EQ(test.cert_status, *ssl_info.ocsp.cert_status); |
| 9507 } else { |
| 9508 EXPECT_FALSE(ssl_info.ocsp.cert_status); |
| 9509 } |
| 9510 } |
| 9511 |
| 9512 INSTANTIATE_TEST_CASE_P(OCSPVerify, |
| 9513 HTTPSOCSPVerifyTest, |
| 9514 testing::ValuesIn(kOCSPVerifyData)); |
| 9515 |
| 9202 class HTTPSHardFailTest : public HTTPSOCSPTest { | 9516 class HTTPSHardFailTest : public HTTPSOCSPTest { |
| 9203 protected: | 9517 protected: |
| 9204 void SetupContext() override { | 9518 void SetupContext() override { |
| 9205 context_.set_ssl_config_service(new TestSSLConfigService( | 9519 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9206 false /* check for EV */, false /* online revocation checking */, | 9520 false /* check for EV */, false /* online revocation checking */, |
| 9207 true /* require rev. checking for local | 9521 true /* require rev. checking for local |
| 9208 anchors */, | 9522 anchors */, |
| 9209 false /* token binding enabled */)); | 9523 false /* token binding enabled */)); |
| 9210 } | 9524 } |
| 9211 }; | 9525 }; |
| 9212 | 9526 |
| 9213 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { | 9527 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { |
| 9214 if (!SystemSupportsOCSP()) { | 9528 if (!SystemSupportsOCSP()) { |
| 9215 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9529 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9216 return; | 9530 return; |
| 9217 } | 9531 } |
| 9218 | 9532 |
| 9219 if (!SystemSupportsHardFailRevocationChecking()) { | 9533 if (!SystemSupportsHardFailRevocationChecking()) { |
| 9220 LOG(WARNING) << "Skipping test because system doesn't support hard fail " | 9534 LOG(WARNING) << "Skipping test because system doesn't support hard fail " |
| 9221 << "revocation checking"; | 9535 << "revocation checking"; |
| 9222 return; | 9536 return; |
| 9223 } | 9537 } |
| 9224 | 9538 |
| 9225 SpawnedTestServer::SSLOptions ssl_options( | 9539 SpawnedTestServer::SSLOptions ssl_options( |
| 9226 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9540 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9227 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9541 ssl_options.ocsp_status = |
| 9542 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9228 | 9543 |
| 9229 CertStatus cert_status; | 9544 CertStatus cert_status; |
| 9230 DoConnection(ssl_options, &cert_status); | 9545 DoConnection(ssl_options, &cert_status); |
| 9231 | 9546 |
| 9232 EXPECT_EQ(CERT_STATUS_REVOKED, | 9547 EXPECT_EQ(CERT_STATUS_REVOKED, |
| 9233 cert_status & CERT_STATUS_REVOKED); | 9548 cert_status & CERT_STATUS_REVOKED); |
| 9234 | 9549 |
| 9235 // Without a positive OCSP response, we shouldn't show the EV status. | 9550 // Without a positive OCSP response, we shouldn't show the EV status. |
| 9236 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9551 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9237 } | 9552 } |
| (...skipping 10 matching lines...) Expand all Loading... |
| 9248 }; | 9563 }; |
| 9249 | 9564 |
| 9250 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { | 9565 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { |
| 9251 if (!SystemSupportsOCSP()) { | 9566 if (!SystemSupportsOCSP()) { |
| 9252 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9567 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9253 return; | 9568 return; |
| 9254 } | 9569 } |
| 9255 | 9570 |
| 9256 SpawnedTestServer::SSLOptions ssl_options( | 9571 SpawnedTestServer::SSLOptions ssl_options( |
| 9257 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9572 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9258 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9573 ssl_options.ocsp_status = |
| 9574 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9259 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 9575 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 9260 | 9576 |
| 9261 CertStatus cert_status; | 9577 CertStatus cert_status; |
| 9262 DoConnection(ssl_options, &cert_status); | 9578 DoConnection(ssl_options, &cert_status); |
| 9263 | 9579 |
| 9264 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9580 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9265 cert_status & CERT_STATUS_ALL_ERRORS); | 9581 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9266 | 9582 |
| 9267 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9583 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9268 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9584 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9320 } | 9636 } |
| 9321 | 9637 |
| 9322 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { | 9638 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { |
| 9323 if (!SystemSupportsOCSP()) { | 9639 if (!SystemSupportsOCSP()) { |
| 9324 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9640 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9325 return; | 9641 return; |
| 9326 } | 9642 } |
| 9327 | 9643 |
| 9328 SpawnedTestServer::SSLOptions ssl_options( | 9644 SpawnedTestServer::SSLOptions ssl_options( |
| 9329 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9645 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9330 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9646 ssl_options.ocsp_status = |
| 9647 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9331 SSLConfigService::SetCRLSet( | 9648 SSLConfigService::SetCRLSet( |
| 9332 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9649 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9333 | 9650 |
| 9334 CertStatus cert_status; | 9651 CertStatus cert_status; |
| 9335 DoConnection(ssl_options, &cert_status); | 9652 DoConnection(ssl_options, &cert_status); |
| 9336 | 9653 |
| 9337 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9654 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9338 cert_status & CERT_STATUS_ALL_ERRORS); | 9655 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9339 | 9656 |
| 9340 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9657 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9341 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9658 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9342 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9659 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9343 } | 9660 } |
| 9344 | 9661 |
| 9345 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { | 9662 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { |
| 9346 if (!SystemSupportsOCSP()) { | 9663 if (!SystemSupportsOCSP()) { |
| 9347 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9664 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9348 return; | 9665 return; |
| 9349 } | 9666 } |
| 9350 | 9667 |
| 9351 SpawnedTestServer::SSLOptions ssl_options( | 9668 SpawnedTestServer::SSLOptions ssl_options( |
| 9352 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9669 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9353 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9670 ssl_options.ocsp_status = |
| 9671 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9354 SSLConfigService::SetCRLSet( | 9672 SSLConfigService::SetCRLSet( |
| 9355 scoped_refptr<CRLSet>(CRLSet::ForTesting( | 9673 scoped_refptr<CRLSet>(CRLSet::ForTesting( |
| 9356 false, &kOCSPTestCertSPKI, ""))); | 9674 false, &kOCSPTestCertSPKI, ""))); |
| 9357 | 9675 |
| 9358 CertStatus cert_status; | 9676 CertStatus cert_status; |
| 9359 DoConnection(ssl_options, &cert_status); | 9677 DoConnection(ssl_options, &cert_status); |
| 9360 | 9678 |
| 9361 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a | 9679 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a |
| 9362 // revocation check for EV. | 9680 // revocation check for EV. |
| 9363 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 9681 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9364 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9682 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9365 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); | 9683 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| 9366 EXPECT_FALSE( | 9684 EXPECT_FALSE( |
| 9367 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9685 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9368 } | 9686 } |
| 9369 | 9687 |
| 9370 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) { | 9688 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) { |
| 9371 if (!SystemSupportsOCSP()) { | 9689 if (!SystemSupportsOCSP()) { |
| 9372 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9690 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9373 return; | 9691 return; |
| 9374 } | 9692 } |
| 9375 | 9693 |
| 9376 SpawnedTestServer::SSLOptions ssl_options( | 9694 SpawnedTestServer::SSLOptions ssl_options( |
| 9377 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9695 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9378 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9696 ssl_options.ocsp_status = |
| 9697 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9379 SSLConfigService::SetCRLSet( | 9698 SSLConfigService::SetCRLSet( |
| 9380 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 9699 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 9381 | 9700 |
| 9382 CertStatus cert_status = 0; | 9701 CertStatus cert_status = 0; |
| 9383 DoConnection(ssl_options, &cert_status); | 9702 DoConnection(ssl_options, &cert_status); |
| 9384 | 9703 |
| 9385 // Even with a fresh CRLSet, we should still do online revocation checks when | 9704 // Even with a fresh CRLSet, we should still do online revocation checks when |
| 9386 // the certificate chain isn't covered by the CRLSet, which it isn't in this | 9705 // the certificate chain isn't covered by the CRLSet, which it isn't in this |
| 9387 // test. | 9706 // test. |
| 9388 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9707 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9428 false /* check for EV */, false /* online revocation checking */, | 9747 false /* check for EV */, false /* online revocation checking */, |
| 9429 false /* require rev. checking for local | 9748 false /* require rev. checking for local |
| 9430 anchors */, | 9749 anchors */, |
| 9431 false /* token binding enabled */)); | 9750 false /* token binding enabled */)); |
| 9432 } | 9751 } |
| 9433 }; | 9752 }; |
| 9434 | 9753 |
| 9435 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { | 9754 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { |
| 9436 SpawnedTestServer::SSLOptions ssl_options( | 9755 SpawnedTestServer::SSLOptions ssl_options( |
| 9437 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9756 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9438 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9757 ssl_options.ocsp_status = |
| 9758 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9439 SSLConfigService::SetCRLSet( | 9759 SSLConfigService::SetCRLSet( |
| 9440 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9760 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9441 | 9761 |
| 9442 CertStatus cert_status; | 9762 CertStatus cert_status; |
| 9443 DoConnection(ssl_options, &cert_status); | 9763 DoConnection(ssl_options, &cert_status); |
| 9444 | 9764 |
| 9445 // If we're not trying EV verification then, even if the CRLSet has expired, | 9765 // If we're not trying EV verification then, even if the CRLSet has expired, |
| 9446 // we don't fall back to online revocation checks. | 9766 // we don't fall back to online revocation checks. |
| 9447 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 9767 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9448 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9768 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| (...skipping 394 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9843 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10163 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 9844 | 10164 |
| 9845 req->Start(); | 10165 req->Start(); |
| 9846 req->Cancel(); | 10166 req->Cancel(); |
| 9847 base::RunLoop().RunUntilIdle(); | 10167 base::RunLoop().RunUntilIdle(); |
| 9848 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 10168 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 9849 EXPECT_EQ(0, d.received_redirect_count()); | 10169 EXPECT_EQ(0, d.received_redirect_count()); |
| 9850 } | 10170 } |
| 9851 | 10171 |
| 9852 } // namespace net | 10172 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2100303002:
Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check