| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 678 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 689 GURL latest_report_uri_; | 689 GURL latest_report_uri_; |
| 690 std::string latest_report_; | 690 std::string latest_report_; |
| 691 }; | 691 }; |
| 692 | 692 |
| 693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate { | 693 class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate { |
| 694 public: | 694 public: |
| 695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; } | 695 bool OnAreExperimentalCookieFeaturesEnabled() const override { return true; } |
| 696 bool OnAreStrictSecureCookiesEnabled() const override { return true; } | 696 bool OnAreStrictSecureCookiesEnabled() const override { return true; } |
| 697 }; | 697 }; |
| 698 | 698 |
| 699 // OCSPErrorTestDelegate caches the SSLInfo passed to OnSSLCertificateError. |
| 700 // This is needed because after the certificate failure, the URLRequest will |
| 701 // retry the connection, and return a partial SSLInfo with a cached cert status. |
| 702 // The partial SSLInfo does not have the OCSP information filled out. |
| 703 class OCSPErrorTestDelegate : public TestDelegate { |
| 704 public: |
| 705 void OnSSLCertificateError(URLRequest* request, |
| 706 const SSLInfo& ssl_info, |
| 707 bool fatal) override { |
| 708 ssl_info_ = ssl_info; |
| 709 on_ssl_certificate_error_called_ = true; |
| 710 TestDelegate::OnSSLCertificateError(request, ssl_info, fatal); |
| 711 } |
| 712 |
| 713 bool on_ssl_certificate_error_called() { |
| 714 return on_ssl_certificate_error_called_; |
| 715 } |
| 716 |
| 717 SSLInfo ssl_info() { return ssl_info_; } |
| 718 |
| 719 private: |
| 720 bool on_ssl_certificate_error_called_ = false; |
| 721 SSLInfo ssl_info_; |
| 722 }; |
| 723 |
| 699 } // namespace | 724 } // namespace |
| 700 | 725 |
| 701 // Inherit PlatformTest since we require the autorelease pool on Mac OS X. | 726 // Inherit PlatformTest since we require the autorelease pool on Mac OS X. |
| 702 class URLRequestTest : public PlatformTest { | 727 class URLRequestTest : public PlatformTest { |
| 703 public: | 728 public: |
| 704 URLRequestTest() : default_context_(true) { | 729 URLRequestTest() : default_context_(true) { |
| 705 default_context_.set_network_delegate(&default_network_delegate_); | 730 default_context_.set_network_delegate(&default_network_delegate_); |
| 706 default_context_.set_net_log(&net_log_); | 731 default_context_.set_net_log(&net_log_); |
| 707 job_factory_impl_ = new URLRequestJobFactoryImpl(); | 732 job_factory_impl_ = new URLRequestJobFactoryImpl(); |
| 708 job_factory_.reset(job_factory_impl_); | 733 job_factory_.reset(job_factory_impl_); |
| (...skipping 8242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8951 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); | 8976 ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); |
| 8952 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | 8977 CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); |
| 8953 test_root_.reset(new ScopedTestRoot(root_cert.get())); | 8978 test_root_.reset(new ScopedTestRoot(root_cert.get())); |
| 8954 | 8979 |
| 8955 #if defined(USE_NSS_CERTS) | 8980 #if defined(USE_NSS_CERTS) |
| 8956 SetURLRequestContextForNSSHttpIO(&context_); | 8981 SetURLRequestContextForNSSHttpIO(&context_); |
| 8957 EnsureNSSHttpIOInit(); | 8982 EnsureNSSHttpIOInit(); |
| 8958 #endif | 8983 #endif |
| 8959 } | 8984 } |
| 8960 | 8985 |
| 8961 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, | 8986 void DoConnectionWithDelegate( |
| 8962 CertStatus* out_cert_status) { | 8987 const SpawnedTestServer::SSLOptions& ssl_options, |
| 8963 // We always overwrite out_cert_status. | 8988 TestDelegate* delegate, |
| 8964 *out_cert_status = 0; | 8989 SSLInfo* out_ssl_info) { |
| 8990 // Always overwrite |out_ssl_info|. |
| 8991 out_ssl_info->Reset(); |
| 8992 |
| 8965 SpawnedTestServer test_server( | 8993 SpawnedTestServer test_server( |
| 8966 SpawnedTestServer::TYPE_HTTPS, | 8994 SpawnedTestServer::TYPE_HTTPS, |
| 8967 ssl_options, | 8995 ssl_options, |
| 8968 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8996 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 8969 ASSERT_TRUE(test_server.Start()); | 8997 ASSERT_TRUE(test_server.Start()); |
| 8970 | 8998 |
| 8971 TestDelegate d; | 8999 delegate->set_allow_certificate_errors(true); |
| 8972 d.set_allow_certificate_errors(true); | 9000 std::unique_ptr<URLRequest> r(context_.CreateRequest( |
| 8973 std::unique_ptr<URLRequest> r( | 9001 test_server.GetURL("/"), DEFAULT_PRIORITY, delegate)); |
| 8974 context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, &d)); | |
| 8975 r->Start(); | 9002 r->Start(); |
| 8976 | 9003 |
| 8977 base::RunLoop().Run(); | 9004 base::RunLoop().Run(); |
| 9005 EXPECT_EQ(1, delegate->response_started_count()); |
| 8978 | 9006 |
| 8979 EXPECT_EQ(1, d.response_started_count()); | 9007 *out_ssl_info = r->ssl_info(); |
| 8980 *out_cert_status = r->ssl_info().cert_status; | 9008 } |
| 9009 |
| 9010 void DoConnection(const SpawnedTestServer::SSLOptions& ssl_options, |
| 9011 CertStatus* out_cert_status) { |
| 9012 // Always overwrite |out_cert_status|. |
| 9013 *out_cert_status = 0; |
| 9014 |
| 9015 TestDelegate d; |
| 9016 SSLInfo ssl_info; |
| 9017 ASSERT_NO_FATAL_FAILURE( |
| 9018 DoConnectionWithDelegate(ssl_options, &d, &ssl_info)); |
| 9019 |
| 9020 *out_cert_status = ssl_info.cert_status; |
| 8981 } | 9021 } |
| 8982 | 9022 |
| 8983 ~HTTPSOCSPTest() override { | 9023 ~HTTPSOCSPTest() override { |
| 8984 #if defined(USE_NSS_CERTS) | 9024 #if defined(USE_NSS_CERTS) |
| 8985 ShutdownNSSHttpIO(); | 9025 ShutdownNSSHttpIO(); |
| 8986 #endif | 9026 #endif |
| 8987 } | 9027 } |
| 8988 | 9028 |
| 8989 protected: | 9029 protected: |
| 8990 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { | 9030 class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9125 } | 9165 } |
| 9126 | 9166 |
| 9127 TEST_F(HTTPSOCSPTest, Invalid) { | 9167 TEST_F(HTTPSOCSPTest, Invalid) { |
| 9128 if (!SystemSupportsOCSP()) { | 9168 if (!SystemSupportsOCSP()) { |
| 9129 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9169 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9130 return; | 9170 return; |
| 9131 } | 9171 } |
| 9132 | 9172 |
| 9133 SpawnedTestServer::SSLOptions ssl_options( | 9173 SpawnedTestServer::SSLOptions ssl_options( |
| 9134 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9174 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9135 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9175 ssl_options.ocsp_status = |
| 9176 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9136 | 9177 |
| 9137 CertStatus cert_status; | 9178 CertStatus cert_status; |
| 9138 DoConnection(ssl_options, &cert_status); | 9179 DoConnection(ssl_options, &cert_status); |
| 9139 | 9180 |
| 9140 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9181 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9141 cert_status & CERT_STATUS_ALL_ERRORS); | 9182 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9142 | 9183 |
| 9143 // Without a positive OCSP response, we shouldn't show the EV status. | 9184 // Without a positive OCSP response, we shouldn't show the EV status. |
| 9144 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9185 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9145 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9186 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9189 ssl_options.ocsp_server_unavailable = true; | 9230 ssl_options.ocsp_server_unavailable = true; |
| 9190 | 9231 |
| 9191 CertStatus cert_status; | 9232 CertStatus cert_status; |
| 9192 DoConnection(ssl_options, &cert_status); | 9233 DoConnection(ssl_options, &cert_status); |
| 9193 | 9234 |
| 9194 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9235 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9195 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9236 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9196 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9237 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9197 } | 9238 } |
| 9198 | 9239 |
| 9240 static const struct OCSPVerifyTestData { |
| 9241 std::vector<SpawnedTestServer::SSLOptions::OCSPSingleResponse> ocsp_responses; |
| 9242 SpawnedTestServer::SSLOptions::OCSPProduced ocsp_produced; |
| 9243 OCSPVerifyResult::ResponseStatus response_status; |
| 9244 bool has_revocation_status; |
| 9245 OCSPRevocationStatus cert_status; |
| 9246 } kOCSPVerifyData[] = { |
| 9247 |
| 9248 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9249 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9250 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9251 OCSPVerifyResult::PROVIDED, |
| 9252 true, |
| 9253 OCSPRevocationStatus::GOOD}, |
| 9254 |
| 9255 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9256 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9257 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9258 OCSPVerifyResult::INVALID_DATE, |
| 9259 false, |
| 9260 OCSPRevocationStatus::UNKNOWN}, |
| 9261 |
| 9262 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9263 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9264 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9265 OCSPVerifyResult::INVALID_DATE, |
| 9266 false, |
| 9267 OCSPRevocationStatus::UNKNOWN}, |
| 9268 |
| 9269 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9270 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9271 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9272 OCSPVerifyResult::INVALID_DATE, |
| 9273 false, |
| 9274 OCSPRevocationStatus::UNKNOWN}, |
| 9275 |
| 9276 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9277 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9278 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9279 OCSPVerifyResult::INVALID_DATE, |
| 9280 false, |
| 9281 OCSPRevocationStatus::UNKNOWN}, |
| 9282 |
| 9283 {{{SpawnedTestServer::SSLOptions::OCSP_TRY_LATER, |
| 9284 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9285 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9286 OCSPVerifyResult::ERROR_RESPONSE, |
| 9287 false, |
| 9288 OCSPRevocationStatus::UNKNOWN}, |
| 9289 |
| 9290 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE, |
| 9291 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9292 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9293 OCSPVerifyResult::PARSE_RESPONSE_ERROR, |
| 9294 false, |
| 9295 OCSPRevocationStatus::UNKNOWN}, |
| 9296 |
| 9297 {{{SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE_DATA, |
| 9298 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9299 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9300 OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR, |
| 9301 false, |
| 9302 OCSPRevocationStatus::UNKNOWN}, |
| 9303 |
| 9304 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9305 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9306 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9307 OCSPVerifyResult::INVALID_DATE, |
| 9308 false, |
| 9309 OCSPRevocationStatus::UNKNOWN}, |
| 9310 |
| 9311 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9312 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9313 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9314 OCSPVerifyResult::PROVIDED, |
| 9315 true, |
| 9316 OCSPRevocationStatus::UNKNOWN}, |
| 9317 |
| 9318 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9319 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9320 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9321 OCSPVerifyResult::INVALID_DATE, |
| 9322 false, |
| 9323 OCSPRevocationStatus::UNKNOWN}, |
| 9324 |
| 9325 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9326 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9327 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9328 OCSPVerifyResult::INVALID_DATE, |
| 9329 false, |
| 9330 OCSPRevocationStatus::UNKNOWN}, |
| 9331 |
| 9332 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9333 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9334 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_BEFORE_CERT, |
| 9335 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9336 false, |
| 9337 OCSPRevocationStatus::UNKNOWN}, |
| 9338 |
| 9339 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9340 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9341 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT, |
| 9342 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9343 false, |
| 9344 OCSPRevocationStatus::UNKNOWN}, |
| 9345 |
| 9346 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9347 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9348 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_AFTER_CERT, |
| 9349 OCSPVerifyResult::BAD_PRODUCED_AT, |
| 9350 false, |
| 9351 OCSPRevocationStatus::UNKNOWN}, |
| 9352 |
| 9353 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9354 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9355 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9356 OCSPVerifyResult::PROVIDED, |
| 9357 true, |
| 9358 OCSPRevocationStatus::REVOKED}, |
| 9359 |
| 9360 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9361 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}}, |
| 9362 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9363 OCSPVerifyResult::INVALID_DATE, |
| 9364 false, |
| 9365 OCSPRevocationStatus::UNKNOWN}, |
| 9366 |
| 9367 {{{SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9368 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9369 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9370 OCSPVerifyResult::INVALID_DATE, |
| 9371 false, |
| 9372 OCSPRevocationStatus::UNKNOWN}, |
| 9373 |
| 9374 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9375 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9376 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9377 OCSPVerifyResult::PROVIDED, |
| 9378 true, |
| 9379 OCSPRevocationStatus::GOOD}, |
| 9380 |
| 9381 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9382 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}, |
| 9383 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9384 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9385 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9386 OCSPVerifyResult::PROVIDED, |
| 9387 true, |
| 9388 OCSPRevocationStatus::GOOD}, |
| 9389 |
| 9390 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9391 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}, |
| 9392 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9393 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9394 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9395 OCSPVerifyResult::PROVIDED, |
| 9396 true, |
| 9397 OCSPRevocationStatus::GOOD}, |
| 9398 |
| 9399 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9400 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}, |
| 9401 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9402 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9403 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9404 OCSPVerifyResult::PROVIDED, |
| 9405 true, |
| 9406 OCSPRevocationStatus::GOOD}, |
| 9407 |
| 9408 {{{SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9409 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}, |
| 9410 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9411 SpawnedTestServer::SSLOptions::OCSP_DATE_OLD}, |
| 9412 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9413 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}}, |
| 9414 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9415 OCSPVerifyResult::INVALID_DATE, |
| 9416 false, |
| 9417 OCSPRevocationStatus::UNKNOWN}, |
| 9418 |
| 9419 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9420 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9421 {SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9422 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9423 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9424 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9425 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9426 OCSPVerifyResult::PROVIDED, |
| 9427 true, |
| 9428 OCSPRevocationStatus::REVOKED}, |
| 9429 |
| 9430 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9431 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9432 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9433 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9434 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9435 OCSPVerifyResult::PROVIDED, |
| 9436 true, |
| 9437 OCSPRevocationStatus::UNKNOWN}, |
| 9438 |
| 9439 {{{SpawnedTestServer::SSLOptions::OCSP_UNKNOWN, |
| 9440 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}, |
| 9441 {SpawnedTestServer::SSLOptions::OCSP_REVOKED, |
| 9442 SpawnedTestServer::SSLOptions::OCSP_DATE_LONG}, |
| 9443 {SpawnedTestServer::SSLOptions::OCSP_OK, |
| 9444 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9445 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9446 OCSPVerifyResult::PROVIDED, |
| 9447 true, |
| 9448 OCSPRevocationStatus::UNKNOWN}, |
| 9449 |
| 9450 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL, |
| 9451 SpawnedTestServer::SSLOptions::OCSP_DATE_VALID}}, |
| 9452 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9453 OCSPVerifyResult::NO_MATCHING_RESPONSE, |
| 9454 false, |
| 9455 OCSPRevocationStatus::UNKNOWN}, |
| 9456 |
| 9457 {{{SpawnedTestServer::SSLOptions::OCSP_MISMATCHED_SERIAL, |
| 9458 SpawnedTestServer::SSLOptions::OCSP_DATE_EARLY}}, |
| 9459 SpawnedTestServer::SSLOptions::OCSP_PRODUCED_VALID, |
| 9460 OCSPVerifyResult::NO_MATCHING_RESPONSE, |
| 9461 false, |
| 9462 OCSPRevocationStatus::UNKNOWN}, |
| 9463 |
| 9464 }; |
| 9465 |
| 9466 class HTTPSOCSPVerifyTest |
| 9467 : public HTTPSOCSPTest, |
| 9468 public testing::WithParamInterface<OCSPVerifyTestData> {}; |
| 9469 |
| 9470 TEST_P(HTTPSOCSPVerifyTest, VerifyResult) { |
| 9471 SpawnedTestServer::SSLOptions ssl_options( |
| 9472 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9473 OCSPVerifyTestData test = GetParam(); |
| 9474 |
| 9475 ssl_options.ocsp_responses = test.ocsp_responses; |
| 9476 ssl_options.ocsp_produced = test.ocsp_produced; |
| 9477 ssl_options.staple_ocsp_response = true; |
| 9478 |
| 9479 SSLInfo ssl_info; |
| 9480 OCSPErrorTestDelegate delegate; |
| 9481 ASSERT_NO_FATAL_FAILURE( |
| 9482 DoConnectionWithDelegate(ssl_options, &delegate, &ssl_info)); |
| 9483 |
| 9484 // The SSLInfo must be extracted from |delegate| on error, due to how |
| 9485 // URLRequest caches certificate errors. |
| 9486 if (delegate.have_certificate_errors()) { |
| 9487 ASSERT_TRUE(delegate.on_ssl_certificate_error_called()); |
| 9488 ssl_info = delegate.ssl_info(); |
| 9489 } |
| 9490 |
| 9491 EXPECT_EQ(test.response_status, ssl_info.ocsp_result.response_status); |
| 9492 |
| 9493 if (test.has_revocation_status) |
| 9494 EXPECT_EQ(test.cert_status, ssl_info.ocsp_result.revocation_status); |
| 9495 } |
| 9496 |
| 9497 INSTANTIATE_TEST_CASE_P(OCSPVerify, |
| 9498 HTTPSOCSPVerifyTest, |
| 9499 testing::ValuesIn(kOCSPVerifyData)); |
| 9500 |
| 9199 class HTTPSHardFailTest : public HTTPSOCSPTest { | 9501 class HTTPSHardFailTest : public HTTPSOCSPTest { |
| 9200 protected: | 9502 protected: |
| 9201 void SetupContext() override { | 9503 void SetupContext() override { |
| 9202 context_.set_ssl_config_service(new TestSSLConfigService( | 9504 context_.set_ssl_config_service(new TestSSLConfigService( |
| 9203 false /* check for EV */, false /* online revocation checking */, | 9505 false /* check for EV */, false /* online revocation checking */, |
| 9204 true /* require rev. checking for local | 9506 true /* require rev. checking for local |
| 9205 anchors */, | 9507 anchors */, |
| 9206 false /* token binding enabled */)); | 9508 false /* token binding enabled */)); |
| 9207 } | 9509 } |
| 9208 }; | 9510 }; |
| 9209 | 9511 |
| 9210 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { | 9512 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { |
| 9211 if (!SystemSupportsOCSP()) { | 9513 if (!SystemSupportsOCSP()) { |
| 9212 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9514 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9213 return; | 9515 return; |
| 9214 } | 9516 } |
| 9215 | 9517 |
| 9216 if (!SystemSupportsHardFailRevocationChecking()) { | 9518 if (!SystemSupportsHardFailRevocationChecking()) { |
| 9217 LOG(WARNING) << "Skipping test because system doesn't support hard fail " | 9519 LOG(WARNING) << "Skipping test because system doesn't support hard fail " |
| 9218 << "revocation checking"; | 9520 << "revocation checking"; |
| 9219 return; | 9521 return; |
| 9220 } | 9522 } |
| 9221 | 9523 |
| 9222 SpawnedTestServer::SSLOptions ssl_options( | 9524 SpawnedTestServer::SSLOptions ssl_options( |
| 9223 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9525 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9224 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9526 ssl_options.ocsp_status = |
| 9527 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9225 | 9528 |
| 9226 CertStatus cert_status; | 9529 CertStatus cert_status; |
| 9227 DoConnection(ssl_options, &cert_status); | 9530 DoConnection(ssl_options, &cert_status); |
| 9228 | 9531 |
| 9229 EXPECT_EQ(CERT_STATUS_REVOKED, | 9532 EXPECT_EQ(CERT_STATUS_REVOKED, |
| 9230 cert_status & CERT_STATUS_REVOKED); | 9533 cert_status & CERT_STATUS_REVOKED); |
| 9231 | 9534 |
| 9232 // Without a positive OCSP response, we shouldn't show the EV status. | 9535 // Without a positive OCSP response, we shouldn't show the EV status. |
| 9233 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9536 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9234 } | 9537 } |
| (...skipping 10 matching lines...) Expand all Loading... |
| 9245 }; | 9548 }; |
| 9246 | 9549 |
| 9247 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { | 9550 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { |
| 9248 if (!SystemSupportsOCSP()) { | 9551 if (!SystemSupportsOCSP()) { |
| 9249 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9552 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9250 return; | 9553 return; |
| 9251 } | 9554 } |
| 9252 | 9555 |
| 9253 SpawnedTestServer::SSLOptions ssl_options( | 9556 SpawnedTestServer::SSLOptions ssl_options( |
| 9254 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9557 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9255 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9558 ssl_options.ocsp_status = |
| 9559 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9256 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 9560 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 9257 | 9561 |
| 9258 CertStatus cert_status; | 9562 CertStatus cert_status; |
| 9259 DoConnection(ssl_options, &cert_status); | 9563 DoConnection(ssl_options, &cert_status); |
| 9260 | 9564 |
| 9261 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9565 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9262 cert_status & CERT_STATUS_ALL_ERRORS); | 9566 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9263 | 9567 |
| 9264 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9568 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9265 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9569 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9317 } | 9621 } |
| 9318 | 9622 |
| 9319 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { | 9623 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { |
| 9320 if (!SystemSupportsOCSP()) { | 9624 if (!SystemSupportsOCSP()) { |
| 9321 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9625 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9322 return; | 9626 return; |
| 9323 } | 9627 } |
| 9324 | 9628 |
| 9325 SpawnedTestServer::SSLOptions ssl_options( | 9629 SpawnedTestServer::SSLOptions ssl_options( |
| 9326 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9630 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9327 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9631 ssl_options.ocsp_status = |
| 9632 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9328 SSLConfigService::SetCRLSet( | 9633 SSLConfigService::SetCRLSet( |
| 9329 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9634 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9330 | 9635 |
| 9331 CertStatus cert_status; | 9636 CertStatus cert_status; |
| 9332 DoConnection(ssl_options, &cert_status); | 9637 DoConnection(ssl_options, &cert_status); |
| 9333 | 9638 |
| 9334 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9639 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9335 cert_status & CERT_STATUS_ALL_ERRORS); | 9640 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9336 | 9641 |
| 9337 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9642 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9338 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9643 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9339 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9644 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9340 } | 9645 } |
| 9341 | 9646 |
| 9342 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { | 9647 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { |
| 9343 if (!SystemSupportsOCSP()) { | 9648 if (!SystemSupportsOCSP()) { |
| 9344 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9649 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9345 return; | 9650 return; |
| 9346 } | 9651 } |
| 9347 | 9652 |
| 9348 SpawnedTestServer::SSLOptions ssl_options( | 9653 SpawnedTestServer::SSLOptions ssl_options( |
| 9349 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9654 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9350 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9655 ssl_options.ocsp_status = |
| 9656 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9351 SSLConfigService::SetCRLSet( | 9657 SSLConfigService::SetCRLSet( |
| 9352 scoped_refptr<CRLSet>(CRLSet::ForTesting( | 9658 scoped_refptr<CRLSet>(CRLSet::ForTesting( |
| 9353 false, &kOCSPTestCertSPKI, ""))); | 9659 false, &kOCSPTestCertSPKI, ""))); |
| 9354 | 9660 |
| 9355 CertStatus cert_status; | 9661 CertStatus cert_status; |
| 9356 DoConnection(ssl_options, &cert_status); | 9662 DoConnection(ssl_options, &cert_status); |
| 9357 | 9663 |
| 9358 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a | 9664 // With a fresh CRLSet that covers the issuing certificate, we shouldn't do a |
| 9359 // revocation check for EV. | 9665 // revocation check for EV. |
| 9360 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 9666 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9361 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9667 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9362 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); | 9668 static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| 9363 EXPECT_FALSE( | 9669 EXPECT_FALSE( |
| 9364 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9670 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9365 } | 9671 } |
| 9366 | 9672 |
| 9367 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) { | 9673 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetNotCovered) { |
| 9368 if (!SystemSupportsOCSP()) { | 9674 if (!SystemSupportsOCSP()) { |
| 9369 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9675 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9370 return; | 9676 return; |
| 9371 } | 9677 } |
| 9372 | 9678 |
| 9373 SpawnedTestServer::SSLOptions ssl_options( | 9679 SpawnedTestServer::SSLOptions ssl_options( |
| 9374 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9680 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9375 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9681 ssl_options.ocsp_status = |
| 9682 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9376 SSLConfigService::SetCRLSet( | 9683 SSLConfigService::SetCRLSet( |
| 9377 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 9684 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 9378 | 9685 |
| 9379 CertStatus cert_status = 0; | 9686 CertStatus cert_status = 0; |
| 9380 DoConnection(ssl_options, &cert_status); | 9687 DoConnection(ssl_options, &cert_status); |
| 9381 | 9688 |
| 9382 // Even with a fresh CRLSet, we should still do online revocation checks when | 9689 // Even with a fresh CRLSet, we should still do online revocation checks when |
| 9383 // the certificate chain isn't covered by the CRLSet, which it isn't in this | 9690 // the certificate chain isn't covered by the CRLSet, which it isn't in this |
| 9384 // test. | 9691 // test. |
| 9385 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9692 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9425 false /* check for EV */, false /* online revocation checking */, | 9732 false /* check for EV */, false /* online revocation checking */, |
| 9426 false /* require rev. checking for local | 9733 false /* require rev. checking for local |
| 9427 anchors */, | 9734 anchors */, |
| 9428 false /* token binding enabled */)); | 9735 false /* token binding enabled */)); |
| 9429 } | 9736 } |
| 9430 }; | 9737 }; |
| 9431 | 9738 |
| 9432 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { | 9739 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { |
| 9433 SpawnedTestServer::SSLOptions ssl_options( | 9740 SpawnedTestServer::SSLOptions ssl_options( |
| 9434 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9741 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9435 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID; | 9742 ssl_options.ocsp_status = |
| 9743 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9436 SSLConfigService::SetCRLSet( | 9744 SSLConfigService::SetCRLSet( |
| 9437 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9745 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9438 | 9746 |
| 9439 CertStatus cert_status; | 9747 CertStatus cert_status; |
| 9440 DoConnection(ssl_options, &cert_status); | 9748 DoConnection(ssl_options, &cert_status); |
| 9441 | 9749 |
| 9442 // If we're not trying EV verification then, even if the CRLSet has expired, | 9750 // If we're not trying EV verification then, even if the CRLSet has expired, |
| 9443 // we don't fall back to online revocation checks. | 9751 // we don't fall back to online revocation checks. |
| 9444 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); | 9752 EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9445 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9753 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| (...skipping 394 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9840 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10148 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 9841 | 10149 |
| 9842 req->Start(); | 10150 req->Start(); |
| 9843 req->Cancel(); | 10151 req->Cancel(); |
| 9844 base::RunLoop().RunUntilIdle(); | 10152 base::RunLoop().RunUntilIdle(); |
| 9845 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 10153 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 9846 EXPECT_EQ(0, d.received_redirect_count()); | 10154 EXPECT_EQ(0, d.received_redirect_count()); |
| 9847 } | 10155 } |
| 9848 | 10156 |
| 9849 } // namespace net | 10157 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2100303002:
Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check