| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 346 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 357 } | 357 } |
| 358 | 358 |
| 359 static void EnableStaticPins(TransportSecurityState* state) { | 359 static void EnableStaticPins(TransportSecurityState* state) { |
| 360 state->enable_static_pins_ = true; | 360 state->enable_static_pins_ = true; |
| 361 } | 361 } |
| 362 | 362 |
| 363 static void EnableStaticExpectCT(TransportSecurityState* state) { | 363 static void EnableStaticExpectCT(TransportSecurityState* state) { |
| 364 state->enable_static_expect_ct_ = true; | 364 state->enable_static_expect_ct_ = true; |
| 365 } | 365 } |
| 366 | 366 |
| 367 static void EnableStaticExpectStaple(TransportSecurityState* state) { | 367 static void SetEnableStaticExpectStaple(TransportSecurityState* state, |
| 368 state->enable_static_expect_staple_ = true; | 368 bool enabled) { |
| 369 state->enable_static_expect_staple_ = enabled; |
| 369 } | 370 } |
| 370 | 371 |
| 371 static HashValueVector GetSampleSPKIHashes() { | 372 static HashValueVector GetSampleSPKIHashes() { |
| 372 HashValueVector spki_hashes; | 373 HashValueVector spki_hashes; |
| 373 HashValue hash(HASH_VALUE_SHA256); | 374 HashValue hash(HASH_VALUE_SHA256); |
| 374 memset(hash.data(), 0, hash.size()); | 375 memset(hash.data(), 0, hash.size()); |
| 375 spki_hashes.push_back(hash); | 376 spki_hashes.push_back(hash); |
| 376 return spki_hashes; | 377 return spki_hashes; |
| 377 } | 378 } |
| 378 | 379 |
| (...skipping 1455 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1834 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); | 1835 EXPECT_EQ(kExpectCTStaticHostname, expect_ct_state.domain); |
| 1835 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); | 1836 EXPECT_EQ(GURL(kExpectCTStaticReportURI), expect_ct_state.report_uri); |
| 1836 EXPECT_FALSE( | 1837 EXPECT_FALSE( |
| 1837 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); | 1838 GetExpectCTState(&state, "pinning-test.badssl.com", &expect_ct_state)); |
| 1838 } | 1839 } |
| 1839 | 1840 |
| 1840 // Tests that static (preloaded) expect staple state is read correctly. | 1841 // Tests that static (preloaded) expect staple state is read correctly. |
| 1841 TEST_F(TransportSecurityStateTest, PreloadedExpectStaple) { | 1842 TEST_F(TransportSecurityStateTest, PreloadedExpectStaple) { |
| 1842 TransportSecurityState state; | 1843 TransportSecurityState state; |
| 1843 TransportSecurityState::ExpectStapleState expect_staple_state; | 1844 TransportSecurityState::ExpectStapleState expect_staple_state; |
| 1845 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, false); |
| 1844 EXPECT_FALSE(GetExpectStapleState(&state, kExpectStapleStaticHostname, | 1846 EXPECT_FALSE(GetExpectStapleState(&state, kExpectStapleStaticHostname, |
| 1845 &expect_staple_state)); | 1847 &expect_staple_state)); |
| 1846 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 1848 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 1847 EXPECT_TRUE(GetExpectStapleState(&state, kExpectStapleStaticHostname, | 1849 EXPECT_TRUE(GetExpectStapleState(&state, kExpectStapleStaticHostname, |
| 1848 &expect_staple_state)); | 1850 &expect_staple_state)); |
| 1849 EXPECT_EQ(kExpectStapleStaticHostname, expect_staple_state.domain); | 1851 EXPECT_EQ(kExpectStapleStaticHostname, expect_staple_state.domain); |
| 1850 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | 1852 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); |
| 1851 EXPECT_FALSE(expect_staple_state.include_subdomains); | 1853 EXPECT_FALSE(expect_staple_state.include_subdomains); |
| 1852 EXPECT_FALSE(GetExpectStapleState(&state, "pinning-test.badssl.com", | 1854 EXPECT_FALSE(GetExpectStapleState(&state, "pinning-test.badssl.com", |
| 1853 &expect_staple_state)); | 1855 &expect_staple_state)); |
| 1854 std::string subdomain = "subdomain."; | 1856 std::string subdomain = "subdomain."; |
| 1855 subdomain += kExpectStapleStaticHostname; | 1857 subdomain += kExpectStapleStaticHostname; |
| 1856 EXPECT_FALSE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); | 1858 EXPECT_FALSE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); |
| 1857 } | 1859 } |
| 1858 | 1860 |
| 1859 TEST_F(TransportSecurityStateTest, PreloadedExpectStapleIncludeSubdomains) { | 1861 TEST_F(TransportSecurityStateTest, PreloadedExpectStapleIncludeSubdomains) { |
| 1860 TransportSecurityState state; | 1862 TransportSecurityState state; |
| 1861 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 1863 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 1862 TransportSecurityState::ExpectStapleState expect_staple_state; | 1864 TransportSecurityState::ExpectStapleState expect_staple_state; |
| 1863 std::string subdomain = "subdomain."; | 1865 std::string subdomain = "subdomain."; |
| 1864 subdomain += kExpectStapleStaticIncludeSubdomainsHostname; | 1866 subdomain += kExpectStapleStaticIncludeSubdomainsHostname; |
| 1865 EXPECT_TRUE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); | 1867 EXPECT_TRUE(GetExpectStapleState(&state, subdomain, &expect_staple_state)); |
| 1866 EXPECT_EQ(kExpectStapleStaticIncludeSubdomainsHostname, | 1868 EXPECT_EQ(kExpectStapleStaticIncludeSubdomainsHostname, |
| 1867 expect_staple_state.domain); | 1869 expect_staple_state.domain); |
| 1868 EXPECT_TRUE(expect_staple_state.include_subdomains); | 1870 EXPECT_TRUE(expect_staple_state.include_subdomains); |
| 1869 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); | 1871 EXPECT_EQ(GURL(kExpectStapleStaticReportURI), expect_staple_state.report_uri); |
| 1870 } | 1872 } |
| 1871 | 1873 |
| (...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2021 | 2023 |
| 2022 class ExpectStapleErrorResponseTest | 2024 class ExpectStapleErrorResponseTest |
| 2023 : public TransportSecurityStateTest, | 2025 : public TransportSecurityStateTest, |
| 2024 public testing::WithParamInterface<ExpectStapleErrorResponseData> {}; | 2026 public testing::WithParamInterface<ExpectStapleErrorResponseData> {}; |
| 2025 | 2027 |
| 2026 // For every |response_status| indicating an OCSP response was provided, but had | 2028 // For every |response_status| indicating an OCSP response was provided, but had |
| 2027 // some sort of parsing/validation error, test that the ExpectStaple report is | 2029 // some sort of parsing/validation error, test that the ExpectStaple report is |
| 2028 // serialized correctly. | 2030 // serialized correctly. |
| 2029 TEST_P(ExpectStapleErrorResponseTest, CheckResponseStatusSerialization) { | 2031 TEST_P(ExpectStapleErrorResponseTest, CheckResponseStatusSerialization) { |
| 2030 TransportSecurityState state; | 2032 TransportSecurityState state; |
| 2031 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 2033 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 2032 MockCertificateReportSender reporter; | 2034 MockCertificateReportSender reporter; |
| 2033 ExpectStapleErrorResponseData test = GetParam(); | 2035 ExpectStapleErrorResponseData test = GetParam(); |
| 2034 | 2036 |
| 2035 std::string ocsp_response; | 2037 std::string ocsp_response; |
| 2036 if (test.response_status != OCSPVerifyResult::MISSING) | 2038 if (test.response_status != OCSPVerifyResult::MISSING) |
| 2037 ocsp_response = "dummy_response"; | 2039 ocsp_response = "dummy_response"; |
| 2038 | 2040 |
| 2039 // Two dummy certs to use as the server-sent and validated chains. The | 2041 // Two dummy certs to use as the server-sent and validated chains. The |
| 2040 // contents don't matter. | 2042 // contents don't matter. |
| 2041 scoped_refptr<X509Certificate> cert1 = | 2043 scoped_refptr<X509Certificate> cert1 = |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2076 | 2078 |
| 2077 class ExpectStapleErrorCertStatusTest | 2079 class ExpectStapleErrorCertStatusTest |
| 2078 : public TransportSecurityStateTest, | 2080 : public TransportSecurityStateTest, |
| 2079 public testing::WithParamInterface<ExpectStapleErrorCertStatusData> {}; | 2081 public testing::WithParamInterface<ExpectStapleErrorCertStatusData> {}; |
| 2080 | 2082 |
| 2081 // Test that |revocation_status| is serialized into the |cert-status| field of | 2083 // Test that |revocation_status| is serialized into the |cert-status| field of |
| 2082 // the Expect-Staple report whenever |response_status| is PROVIDED and | 2084 // the Expect-Staple report whenever |response_status| is PROVIDED and |
| 2083 // |revocation_status| != GOOD. | 2085 // |revocation_status| != GOOD. |
| 2084 TEST_P(ExpectStapleErrorCertStatusTest, CheckCertStatusSerialization) { | 2086 TEST_P(ExpectStapleErrorCertStatusTest, CheckCertStatusSerialization) { |
| 2085 TransportSecurityState state; | 2087 TransportSecurityState state; |
| 2086 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 2088 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 2087 MockCertificateReportSender reporter; | 2089 MockCertificateReportSender reporter; |
| 2088 ExpectStapleErrorCertStatusData test = GetParam(); | 2090 ExpectStapleErrorCertStatusData test = GetParam(); |
| 2089 std::string ocsp_response = "dummy_response"; | 2091 std::string ocsp_response = "dummy_response"; |
| 2090 | 2092 |
| 2091 // Two dummy certs to use as the server-sent and validated chains. The | 2093 // Two dummy certs to use as the server-sent and validated chains. The |
| 2092 // contents don't matter. | 2094 // contents don't matter. |
| 2093 scoped_refptr<X509Certificate> cert1 = | 2095 scoped_refptr<X509Certificate> cert1 = |
| 2094 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 2096 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2095 scoped_refptr<X509Certificate> cert2 = | 2097 scoped_refptr<X509Certificate> cert2 = |
| 2096 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 2098 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| (...skipping 19 matching lines...) Expand all Loading... |
| 2116 ocsp_response, "PROVIDED", | 2118 ocsp_response, "PROVIDED", |
| 2117 test.cert_status_string)); | 2119 test.cert_status_string)); |
| 2118 }; | 2120 }; |
| 2119 | 2121 |
| 2120 INSTANTIATE_TEST_CASE_P(ExpectStaple, | 2122 INSTANTIATE_TEST_CASE_P(ExpectStaple, |
| 2121 ExpectStapleErrorCertStatusTest, | 2123 ExpectStapleErrorCertStatusTest, |
| 2122 testing::ValuesIn(kExpectStapleErrorCertStatusData)); | 2124 testing::ValuesIn(kExpectStapleErrorCertStatusData)); |
| 2123 | 2125 |
| 2124 TEST_F(TransportSecurityStateTest, ExpectStapleDoesNotReportValidStaple) { | 2126 TEST_F(TransportSecurityStateTest, ExpectStapleDoesNotReportValidStaple) { |
| 2125 TransportSecurityState state; | 2127 TransportSecurityState state; |
| 2126 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 2128 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 2127 MockCertificateReportSender reporter; | 2129 MockCertificateReportSender reporter; |
| 2128 state.SetReportSender(&reporter); | 2130 state.SetReportSender(&reporter); |
| 2129 | 2131 |
| 2130 // Baked-in preloaded Expect-Staple test hosts. | 2132 // Baked-in preloaded Expect-Staple test hosts. |
| 2131 HostPortPair host_port(kExpectStapleStaticHostname, 443); | 2133 HostPortPair host_port(kExpectStapleStaticHostname, 443); |
| 2132 | 2134 |
| 2133 // Two dummy certs to use as the server-sent and validated chains. The | 2135 // Two dummy certs to use as the server-sent and validated chains. The |
| 2134 // contents don't matter. | 2136 // contents don't matter. |
| 2135 scoped_refptr<X509Certificate> cert1 = | 2137 scoped_refptr<X509Certificate> cert1 = |
| 2136 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 2138 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 2151 EXPECT_TRUE(reporter.latest_report().empty()); | 2153 EXPECT_TRUE(reporter.latest_report().empty()); |
| 2152 | 2154 |
| 2153 ssl_info.is_issued_by_known_root = false; | 2155 ssl_info.is_issued_by_known_root = false; |
| 2154 state.CheckExpectStaple(host_port, ssl_info, ocsp_response); | 2156 state.CheckExpectStaple(host_port, ssl_info, ocsp_response); |
| 2155 EXPECT_EQ(GURL(), reporter.latest_report_uri()); | 2157 EXPECT_EQ(GURL(), reporter.latest_report_uri()); |
| 2156 EXPECT_TRUE(reporter.latest_report().empty()); | 2158 EXPECT_TRUE(reporter.latest_report().empty()); |
| 2157 } | 2159 } |
| 2158 | 2160 |
| 2159 TEST_F(TransportSecurityStateTest, ExpectStapleRequiresPreload) { | 2161 TEST_F(TransportSecurityStateTest, ExpectStapleRequiresPreload) { |
| 2160 TransportSecurityState state; | 2162 TransportSecurityState state; |
| 2161 TransportSecurityStateTest::EnableStaticExpectStaple(&state); | 2163 TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true); |
| 2162 MockCertificateReportSender reporter; | 2164 MockCertificateReportSender reporter; |
| 2163 state.SetReportSender(&reporter); | 2165 state.SetReportSender(&reporter); |
| 2164 | 2166 |
| 2165 HostPortPair host_port("not-preloaded.host.example", 443); | 2167 HostPortPair host_port("not-preloaded.host.example", 443); |
| 2166 | 2168 |
| 2167 // Two dummy certs to use as the server-sent and validated chains. The | 2169 // Two dummy certs to use as the server-sent and validated chains. The |
| 2168 // contents don't matter. | 2170 // contents don't matter. |
| 2169 scoped_refptr<X509Certificate> cert1 = | 2171 scoped_refptr<X509Certificate> cert1 = |
| 2170 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | 2172 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2171 scoped_refptr<X509Certificate> cert2 = | 2173 scoped_refptr<X509Certificate> cert2 = |
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2317 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2319 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
| 2318 "disabled"); | 2320 "disabled"); |
| 2319 | 2321 |
| 2320 EXPECT_FALSE( | 2322 EXPECT_FALSE( |
| 2321 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2323 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); |
| 2322 EXPECT_FALSE( | 2324 EXPECT_FALSE( |
| 2323 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2325 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); |
| 2324 } | 2326 } |
| 2325 | 2327 |
| 2326 } // namespace net | 2328 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2155753002:
Enable Expect-Staple in SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-reporting