| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 9034 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9045 anchors */, | 9045 anchors */, |
| 9046 false /* token binding enabled */)); | 9046 false /* token binding enabled */)); |
| 9047 } | 9047 } |
| 9048 | 9048 |
| 9049 std::unique_ptr<ScopedTestRoot> test_root_; | 9049 std::unique_ptr<ScopedTestRoot> test_root_; |
| 9050 TestURLRequestContext context_; | 9050 TestURLRequestContext context_; |
| 9051 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; | 9051 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; |
| 9052 }; | 9052 }; |
| 9053 | 9053 |
| 9054 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { | 9054 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { |
| 9055 #if defined(OS_WIN) | 9055 #if defined(OS_WIN) || defined(OS_MACOSX) |
| 9056 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't | 9056 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| 9057 // have that ability on other platforms. | 9057 // have that ability on other platforms. |
| 9058 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; | 9058 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| 9059 #else | 9059 #else |
| 9060 return 0; | 9060 return 0; |
| 9061 #endif | 9061 #endif |
| 9062 } | 9062 } |
| 9063 | 9063 |
| 9064 // SystemSupportsHardFailRevocationChecking returns true iff the current | 9064 // SystemSupportsHardFailRevocationChecking returns true iff the current |
| 9065 // operating system supports revocation checking and can distinguish between | 9065 // operating system supports revocation checking and can distinguish between |
| (...skipping 20 matching lines...) Expand all Loading... |
| 9086 return false; | 9086 return false; |
| 9087 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) | 9087 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) |
| 9088 // On OS X and Android, we use the system to tell us whether a certificate is | 9088 // On OS X and Android, we use the system to tell us whether a certificate is |
| 9089 // EV or not and the system won't recognise our testing root. | 9089 // EV or not and the system won't recognise our testing root. |
| 9090 return false; | 9090 return false; |
| 9091 #else | 9091 #else |
| 9092 return true; | 9092 return true; |
| 9093 #endif | 9093 #endif |
| 9094 } | 9094 } |
| 9095 | 9095 |
| 9096 // Returns the expected CertStatus for tests that expect an online revocation |
| 9097 // check failure as a result of checking a test EV cert, which will not |
| 9098 // actually trigger an online revocation check on some platforms. |
| 9099 static CertStatus ExpectedCertStatusForFailedOnlineEVRevocationCheck() { |
| 9100 if (SystemUsesChromiumEVMetadata()) { |
| 9101 return ExpectedCertStatusForFailedOnlineRevocationCheck(); |
| 9102 } else { |
| 9103 // If SystemUsesChromiumEVMetadata is false, revocation checking will not |
| 9104 // be enabled, and thus there will not be a revocation check to fail. |
| 9105 return 0u; |
| 9106 } |
| 9107 } |
| 9108 |
| 9096 static bool SystemSupportsOCSP() { | 9109 static bool SystemSupportsOCSP() { |
| 9097 #if defined(OS_ANDROID) | 9110 #if defined(OS_ANDROID) |
| 9098 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 9111 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 9099 return false; | 9112 return false; |
| 9100 #else | 9113 #else |
| 9101 return true; | 9114 return true; |
| 9102 #endif | 9115 #endif |
| 9103 } | 9116 } |
| 9104 | 9117 |
| 9105 static bool SystemSupportsOCSPStapling() { | 9118 static bool SystemSupportsOCSPStapling() { |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9137 return; | 9150 return; |
| 9138 } | 9151 } |
| 9139 | 9152 |
| 9140 SpawnedTestServer::SSLOptions ssl_options( | 9153 SpawnedTestServer::SSLOptions ssl_options( |
| 9141 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9154 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9142 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; | 9155 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; |
| 9143 | 9156 |
| 9144 CertStatus cert_status; | 9157 CertStatus cert_status; |
| 9145 DoConnection(ssl_options, &cert_status); | 9158 DoConnection(ssl_options, &cert_status); |
| 9146 | 9159 |
| 9147 #if !(defined(OS_MACOSX) && !defined(OS_IOS)) | |
| 9148 // Doesn't pass on OS X yet for reasons that need to be investigated. | |
| 9149 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9160 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9150 #endif | |
| 9151 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9161 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9152 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9162 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9153 } | 9163 } |
| 9154 | 9164 |
| 9155 TEST_F(HTTPSOCSPTest, Invalid) { | 9165 TEST_F(HTTPSOCSPTest, Invalid) { |
| 9156 if (!SystemSupportsOCSP()) { | 9166 if (!SystemSupportsOCSP()) { |
| 9157 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9167 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9158 return; | 9168 return; |
| 9159 } | 9169 } |
| 9160 | 9170 |
| (...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9647 | 9657 |
| 9648 SpawnedTestServer::SSLOptions ssl_options( | 9658 SpawnedTestServer::SSLOptions ssl_options( |
| 9649 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9659 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9650 ssl_options.ocsp_status = | 9660 ssl_options.ocsp_status = |
| 9651 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9661 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9652 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 9662 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 9653 | 9663 |
| 9654 CertStatus cert_status; | 9664 CertStatus cert_status; |
| 9655 DoConnection(ssl_options, &cert_status); | 9665 DoConnection(ssl_options, &cert_status); |
| 9656 | 9666 |
| 9657 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9667 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9658 cert_status & CERT_STATUS_ALL_ERRORS); | 9668 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9659 | 9669 |
| 9660 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9670 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9661 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9671 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9662 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9672 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9663 } | 9673 } |
| 9664 | 9674 |
| 9665 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { | 9675 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { |
| 9666 if (!SystemSupportsOCSP()) { | 9676 if (!SystemSupportsOCSP()) { |
| 9667 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9677 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9721 SpawnedTestServer::SSLOptions ssl_options( | 9731 SpawnedTestServer::SSLOptions ssl_options( |
| 9722 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9732 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9723 ssl_options.ocsp_status = | 9733 ssl_options.ocsp_status = |
| 9724 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9734 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9725 SSLConfigService::SetCRLSet( | 9735 SSLConfigService::SetCRLSet( |
| 9726 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9736 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9727 | 9737 |
| 9728 CertStatus cert_status; | 9738 CertStatus cert_status; |
| 9729 DoConnection(ssl_options, &cert_status); | 9739 DoConnection(ssl_options, &cert_status); |
| 9730 | 9740 |
| 9731 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9741 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9732 cert_status & CERT_STATUS_ALL_ERRORS); | 9742 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9733 | 9743 |
| 9734 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9744 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9735 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9745 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9736 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9746 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9737 } | 9747 } |
| 9738 | 9748 |
| 9739 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { | 9749 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { |
| 9740 if (!SystemSupportsOCSP()) { | 9750 if (!SystemSupportsOCSP()) { |
| 9741 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9751 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9774 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9784 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9775 SSLConfigService::SetCRLSet( | 9785 SSLConfigService::SetCRLSet( |
| 9776 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 9786 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 9777 | 9787 |
| 9778 CertStatus cert_status = 0; | 9788 CertStatus cert_status = 0; |
| 9779 DoConnection(ssl_options, &cert_status); | 9789 DoConnection(ssl_options, &cert_status); |
| 9780 | 9790 |
| 9781 // Even with a fresh CRLSet, we should still do online revocation checks when | 9791 // Even with a fresh CRLSet, we should still do online revocation checks when |
| 9782 // the certificate chain isn't covered by the CRLSet, which it isn't in this | 9792 // the certificate chain isn't covered by the CRLSet, which it isn't in this |
| 9783 // test. | 9793 // test. |
| 9784 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9794 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9785 cert_status & CERT_STATUS_ALL_ERRORS); | 9795 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9786 | 9796 |
| 9787 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9797 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9788 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9798 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9789 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9799 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9790 } | 9800 } |
| 9791 | 9801 |
| 9792 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { | 9802 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { |
| 9793 // Test that when EV verification is requested, but online revocation | 9803 // Test that when EV verification is requested, but online revocation |
| 9794 // checking is disabled, and the leaf certificate is not in fact EV, that | 9804 // checking is disabled, and the leaf certificate is not in fact EV, that |
| (...skipping 444 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10239 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10249 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 10240 | 10250 |
| 10241 req->Start(); | 10251 req->Start(); |
| 10242 req->Cancel(); | 10252 req->Cancel(); |
| 10243 base::RunLoop().RunUntilIdle(); | 10253 base::RunLoop().RunUntilIdle(); |
| 10244 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 10254 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
| 10245 EXPECT_EQ(0, d.received_redirect_count()); | 10255 EXPECT_EQ(0, d.received_redirect_count()); |
| 10246 } | 10256 } |
| 10247 | 10257 |
| 10248 } // namespace net | 10258 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2101303005:
CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master