Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(39)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state_unittest.cc

Issue 2109913004: Require Certificate Transparency for Symantec-operated roots (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@wire_up_policy
Patch Set: NaCL Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/transport_security_state_ct_policies.inc ('k') | net/net.gypi » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
11 #include "base/base64.h" 11 #include "base/base64.h"
12 #include "base/files/file_path.h" 12 #include "base/files/file_path.h"
13 #include "base/json/json_reader.h" 13 #include "base/json/json_reader.h"
14 #include "base/metrics/field_trial.h"
14 #include "base/rand_util.h" 15 #include "base/rand_util.h"
15 #include "base/sha1.h" 16 #include "base/sha1.h"
16 #include "base/strings/string_piece.h" 17 #include "base/strings/string_piece.h"
17 #include "base/test/histogram_tester.h" 18 #include "base/test/histogram_tester.h"
19 #include "base/test/mock_entropy_provider.h"
18 #include "base/values.h" 20 #include "base/values.h"
19 #include "crypto/openssl_util.h" 21 #include "crypto/openssl_util.h"
20 #include "crypto/sha2.h" 22 #include "crypto/sha2.h"
21 #include "net/base/host_port_pair.h" 23 #include "net/base/host_port_pair.h"
22 #include "net/base/net_errors.h" 24 #include "net/base/net_errors.h"
23 #include "net/base/test_completion_callback.h" 25 #include "net/base/test_completion_callback.h"
24 #include "net/cert/asn1_util.h" 26 #include "net/cert/asn1_util.h"
25 #include "net/cert/cert_verifier.h" 27 #include "net/cert/cert_verifier.h"
26 #include "net/cert/cert_verify_result.h" 28 #include "net/cert/cert_verify_result.h"
27 #include "net/cert/ct_policy_status.h" 29 #include "net/cert/ct_policy_status.h"
(...skipping 1920 matching lines...) Expand 10 before | Expand all | Expand 10 after
1948 state.SetRequireCTDelegate(&default_require_ct_delegate); 1950 state.SetRequireCTDelegate(&default_require_ct_delegate);
1949 EXPECT_EQ(original_status, 1951 EXPECT_EQ(original_status,
1950 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 1952 state.ShouldRequireCT("www.example.com", cert.get(), hashes));
1951 1953
1952 state.SetRequireCTDelegate(nullptr); 1954 state.SetRequireCTDelegate(nullptr);
1953 EXPECT_EQ(original_status, 1955 EXPECT_EQ(original_status,
1954 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 1956 state.ShouldRequireCT("www.example.com", cert.get(), hashes));
1955 } 1957 }
1956 } 1958 }
1957 1959
1960 // Tests that Certificate Transparency is required for Symantec-issued
1961 // certificates, unless the certificate was issued prior to 1 June 2016
1962 // or the issuing CA is whitelisted as independently operated.
1963 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
1964 // Test certificates before and after the 1 June 2016 deadline.
1965 scoped_refptr<X509Certificate> before_cert =
1966 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem");
1967 ASSERT_TRUE(before_cert);
1968 scoped_refptr<X509Certificate> after_cert =
1969 ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem");
1970 ASSERT_TRUE(after_cert);
1971
1972 SHA256HashValue symantec_hash_value = {
1973 {0xb2, 0xde, 0xf5, 0x36, 0x2a, 0xd3, 0xfa, 0xcd, 0x04, 0xbd, 0x29,
1974 0x04, 0x7a, 0x43, 0x84, 0x4f, 0x76, 0x70, 0x34, 0xea, 0x48, 0x92,
1975 0xf8, 0x0e, 0x56, 0xbe, 0xe6, 0x90, 0x24, 0x3e, 0x25, 0x02}};
1976 SHA256HashValue google_hash_value = {
1977 {0xec, 0x72, 0x29, 0x69, 0xcb, 0x64, 0x20, 0x0a, 0xb6, 0x63, 0x8f,
1978 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48,
1979 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}};
1980
1981 TransportSecurityState state;
1982
1983 HashValueVector hashes;
1984 hashes.push_back(HashValue(symantec_hash_value));
1985
1986 // Certificates issued by Symantec prior to 1 June 2016 should not
1987 // be required to be disclosed via CT.
1988 EXPECT_FALSE(
1989 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
1990
1991 // ... but certificates issued after 1 June 2016 are required to be...
1992 EXPECT_TRUE(
1993 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
1994
1995 // ... unless they were issued by an excluded intermediate.
1996 hashes.push_back(HashValue(google_hash_value));
1997 EXPECT_FALSE(
1998 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
1999 EXPECT_FALSE(
2000 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
2001
2002 // And other certificates should remain unaffected.
2003 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}};
2004 HashValueVector unrelated_hashes;
2005 unrelated_hashes.push_back(HashValue(unrelated_hash_value));
2006
2007 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(),
2008 unrelated_hashes));
2009 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(),
2010 unrelated_hashes));
2011
2012 // And the emergency field trial should disable the requirement, if
2013 // necessary.
2014 hashes.clear();
2015 hashes.push_back(HashValue(symantec_hash_value));
2016 base::FieldTrialList field_trial_list(new base::MockEntropyProvider());
2017 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
2018 "disabled");
2019
2020 EXPECT_FALSE(
2021 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
2022 EXPECT_FALSE(
2023 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
2024 }
2025
1958 } // namespace net 2026 } // namespace net
OLDNEW
« no previous file with comments | « net/http/transport_security_state_ct_policies.inc ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698