| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "ios/web/net/crw_cert_verification_controller.h" | 5 #include "ios/web/net/crw_cert_verification_controller.h" |
| 6 | 6 |
| 7 #include "base/mac/bind_objc_block.h" | 7 #include "base/mac/bind_objc_block.h" |
| 8 #include "base/mac/scoped_nsobject.h" | 8 #include "base/mac/scoped_nsobject.h" |
| 9 #include "base/message_loop/message_loop.h" | 9 #include "base/message_loop/message_loop.h" |
| 10 #include "base/test/ios/wait_util.h" | 10 #include "base/test/ios/wait_util.h" |
| 11 #include "ios/web/public/test/web_test.h" | 11 #include "ios/web/public/test/web_test.h" |
| 12 #include "ios/web/public/web_thread.h" | 12 #include "ios/web/public/web_thread.h" |
| 13 #import "ios/web/web_state/wk_web_view_security_util.h" | 13 #import "ios/web/web_state/wk_web_view_security_util.h" |
| 14 #include "net/cert/mock_cert_verifier.h" | |
| 15 #include "net/cert/x509_certificate.h" | 14 #include "net/cert/x509_certificate.h" |
| 16 #include "net/test/cert_test_util.h" | 15 #include "net/test/cert_test_util.h" |
| 17 #include "net/test/test_data_directory.h" | 16 #include "net/test/test_data_directory.h" |
| 18 #include "net/url_request/url_request_context.h" | |
| 19 #include "net/url_request/url_request_context_getter.h" | |
| 20 | 17 |
| 21 namespace web { | 18 namespace web { |
| 22 | 19 |
| 23 namespace { | 20 namespace { |
| 24 // Generated cert filename. | 21 // Generated cert filename. |
| 25 const char kCertFileName[] = "ok_cert.pem"; | 22 const char kCertFileName[] = "ok_cert.pem"; |
| 26 // Test hostname for cert verification. | 23 // Test hostname for cert verification. |
| 27 NSString* const kHostName = @"www.example.com"; | 24 NSString* const kHostName = @"www.example.com"; |
| 28 } // namespace | 25 } // namespace |
| 29 | 26 |
| 30 // Test fixture to test CRWCertVerificationController class. | 27 // Test fixture to test CRWCertVerificationController class. |
| 31 class CRWCertVerificationControllerTest : public web::WebTest { | 28 class CRWCertVerificationControllerTest : public web::WebTest { |
| 32 protected: | 29 protected: |
| 33 void SetUp() override { | 30 void SetUp() override { |
| 34 web::WebTest::SetUp(); | 31 web::WebTest::SetUp(); |
| 35 | 32 |
| 36 web::BrowserState* browser_state = GetBrowserState(); | |
| 37 net::URLRequestContextGetter* getter = browser_state->GetRequestContext(); | |
| 38 web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{ | |
| 39 getter->GetURLRequestContext()->set_cert_verifier(&cert_verifier_); | |
| 40 })); | |
| 41 | |
| 42 controller_.reset([[CRWCertVerificationController alloc] | 33 controller_.reset([[CRWCertVerificationController alloc] |
| 43 initWithBrowserState:browser_state]); | 34 initWithBrowserState:GetBrowserState()]); |
| 44 cert_ = | 35 cert_ = |
| 45 net::ImportCertFromFile(net::GetTestCertsDirectory(), kCertFileName); | 36 net::ImportCertFromFile(net::GetTestCertsDirectory(), kCertFileName); |
| 46 ASSERT_TRUE(cert_); | 37 ASSERT_TRUE(cert_); |
| 47 | 38 |
| 48 NSArray* chain = GetChain(cert_); | 39 NSArray* chain = GetChain(cert_); |
| 49 valid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); | 40 valid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); |
| 50 web::EnsureFutureTrustEvaluationSucceeds(valid_trust_.get()); | 41 web::EnsureFutureTrustEvaluationSucceeds(valid_trust_.get()); |
| 51 invalid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); | 42 invalid_trust_ = web::CreateServerTrustFromChain(chain, kHostName); |
| 52 } | 43 } |
| 53 | 44 |
| 54 void TearDown() override { | |
| 55 [controller_ shutDown]; | |
| 56 web::WebTest::TearDown(); | |
| 57 } | |
| 58 | |
| 59 // Returns NSArray of SecCertificateRef objects for the given |cert|. | 45 // Returns NSArray of SecCertificateRef objects for the given |cert|. |
| 60 NSArray* GetChain(const scoped_refptr<net::X509Certificate>& cert) const { | 46 NSArray* GetChain(const scoped_refptr<net::X509Certificate>& cert) const { |
| 61 NSMutableArray* result = [NSMutableArray | 47 NSMutableArray* result = [NSMutableArray |
| 62 arrayWithObject:static_cast<id>(cert->os_cert_handle())]; | 48 arrayWithObject:static_cast<id>(cert->os_cert_handle())]; |
| 63 for (SecCertificateRef intermediate : cert->GetIntermediateCertificates()) { | 49 for (SecCertificateRef intermediate : cert->GetIntermediateCertificates()) { |
| 64 [result addObject:static_cast<id>(intermediate)]; | 50 [result addObject:static_cast<id>(intermediate)]; |
| 65 } | 51 } |
| 66 return result; | 52 return result; |
| 67 } | 53 } |
| 68 | 54 |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 103 completion_handler_called = true; | 89 completion_handler_called = true; |
| 104 }]; | 90 }]; |
| 105 base::test::ios::WaitUntilCondition(^{ | 91 base::test::ios::WaitUntilCondition(^{ |
| 106 return completion_handler_called; | 92 return completion_handler_called; |
| 107 }, base::MessageLoop::current(), base::TimeDelta()); | 93 }, base::MessageLoop::current(), base::TimeDelta()); |
| 108 } | 94 } |
| 109 | 95 |
| 110 scoped_refptr<net::X509Certificate> cert_; | 96 scoped_refptr<net::X509Certificate> cert_; |
| 111 base::ScopedCFTypeRef<SecTrustRef> valid_trust_; | 97 base::ScopedCFTypeRef<SecTrustRef> valid_trust_; |
| 112 base::ScopedCFTypeRef<SecTrustRef> invalid_trust_; | 98 base::ScopedCFTypeRef<SecTrustRef> invalid_trust_; |
| 113 net::MockCertVerifier cert_verifier_; | |
| 114 base::scoped_nsobject<CRWCertVerificationController> controller_; | 99 base::scoped_nsobject<CRWCertVerificationController> controller_; |
| 115 }; | 100 }; |
| 116 | 101 |
| 117 // Tests cert policy with a valid trust. | 102 // Tests cert policy with a valid trust. |
| 118 TEST_F(CRWCertVerificationControllerTest, PolicyForValidTrust) { | 103 TEST_F(CRWCertVerificationControllerTest, PolicyForValidTrust) { |
| 119 net::CertVerifyResult verify_result; | |
| 120 verify_result.cert_status = net::CERT_STATUS_NO_REVOCATION_MECHANISM; | |
| 121 verify_result.verified_cert = cert_; | |
| 122 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 123 verify_result, net::OK); | |
| 124 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 104 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 125 net::CertStatus status; | 105 net::CertStatus status; |
| 126 DecidePolicy(valid_trust_, kHostName, &policy, &status); | 106 DecidePolicy(valid_trust_, kHostName, &policy, &status); |
| 127 EXPECT_EQ(CERT_ACCEPT_POLICY_ALLOW, policy); | 107 EXPECT_EQ(CERT_ACCEPT_POLICY_ALLOW, policy); |
| 128 EXPECT_FALSE(status); | 108 EXPECT_FALSE(status); |
| 129 } | 109 } |
| 130 | 110 |
| 131 // Tests cert policy with an invalid trust not accepted by user. | 111 // Tests cert policy with an invalid trust not accepted by user. |
| 132 TEST_F(CRWCertVerificationControllerTest, PolicyForInvalidTrust) { | 112 TEST_F(CRWCertVerificationControllerTest, PolicyForInvalidTrust) { |
| 133 net::CertVerifyResult result; | |
| 134 result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID; | |
| 135 result.verified_cert = cert_; | |
| 136 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 137 result, | |
| 138 net::ERR_CERT_COMMON_NAME_INVALID); | |
| 139 | |
| 140 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 113 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 141 net::CertStatus status; | 114 net::CertStatus status; |
| 142 DecidePolicy(invalid_trust_, kHostName, &policy, &status); | 115 DecidePolicy(invalid_trust_, kHostName, &policy, &status); |
| 143 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER, policy); | 116 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER, policy); |
| 144 EXPECT_EQ(net::CERT_STATUS_COMMON_NAME_INVALID, status); | 117 EXPECT_TRUE(net::CERT_STATUS_AUTHORITY_INVALID & status); |
| 118 EXPECT_TRUE(net::CERT_STATUS_COMMON_NAME_INVALID & status); |
| 145 } | 119 } |
| 146 | 120 |
| 147 // Tests cert policy with an invalid trust accepted by user. | 121 // Tests cert policy with an invalid trust accepted by user. |
| 148 TEST_F(CRWCertVerificationControllerTest, PolicyForInvalidTrustAcceptedByUser) { | 122 TEST_F(CRWCertVerificationControllerTest, PolicyForInvalidTrustAcceptedByUser) { |
| 149 net::CertVerifyResult result; | |
| 150 result.cert_status = net::CERT_STATUS_DATE_INVALID; | |
| 151 result.verified_cert = cert_; | |
| 152 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 153 result, net::ERR_CERT_DATE_INVALID); | |
| 154 | |
| 155 [controller_ allowCert:cert_.get() | 123 [controller_ allowCert:cert_.get() |
| 156 forHost:kHostName | 124 forHost:kHostName |
| 157 status:net::CERT_STATUS_ALL_ERRORS]; | 125 status:net::CERT_STATUS_ALL_ERRORS]; |
| 158 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 126 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 159 net::CertStatus status; | 127 net::CertStatus status; |
| 160 DecidePolicy(invalid_trust_, kHostName, &policy, &status); | 128 DecidePolicy(invalid_trust_, kHostName, &policy, &status); |
| 161 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER, policy); | 129 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER, policy); |
| 162 EXPECT_EQ(net::CERT_STATUS_DATE_INVALID, status); | 130 EXPECT_TRUE(net::CERT_STATUS_AUTHORITY_INVALID & status); |
| 131 EXPECT_TRUE(net::CERT_STATUS_COMMON_NAME_INVALID & status); |
| 163 } | 132 } |
| 164 | 133 |
| 165 // Tests cert policy with an invalid trust when CertVerifier considers cert as | 134 // Tests that allowCert:forHost:status: strips all intermediate certs. |
| 166 // valid. | 135 TEST_F(CRWCertVerificationControllerTest, AllowCertIgnoresIntermediateCerts) { |
| 167 TEST_F(CRWCertVerificationControllerTest, | |
| 168 PolicyForInvalidTrustWithNoErrorFromCertVerifier) { | |
| 169 net::CertVerifyResult result; | |
| 170 result.verified_cert = cert_; | |
| 171 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 172 result, net::OK); | |
| 173 | |
| 174 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | |
| 175 net::CertStatus status; | |
| 176 DecidePolicy(invalid_trust_, kHostName, &policy, &status); | |
| 177 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER, policy); | |
| 178 EXPECT_EQ(net::CERT_STATUS_INVALID, status); | |
| 179 } | |
| 180 | |
| 181 // Tests that allowCert:forHost:status: strips all intermidiate certs. | |
| 182 TEST_F(CRWCertVerificationControllerTest, AllowCertIgnoresIntermidiateCerts) { | |
| 183 scoped_refptr<net::X509Certificate> cert( | 136 scoped_refptr<net::X509Certificate> cert( |
| 184 net::X509Certificate::CreateFromHandle(cert_->os_cert_handle(), | 137 net::X509Certificate::CreateFromHandle(cert_->os_cert_handle(), |
| 185 {cert_->os_cert_handle()})); | 138 {cert_->os_cert_handle()})); |
| 186 net::CertVerifyResult result; | |
| 187 result.cert_status = net::CERT_STATUS_DATE_INVALID; | |
| 188 result.verified_cert = cert_; | |
| 189 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 190 result, net::ERR_CERT_DATE_INVALID); | |
| 191 | |
| 192 [controller_ allowCert:cert.get() | 139 [controller_ allowCert:cert.get() |
| 193 forHost:kHostName | 140 forHost:kHostName |
| 194 status:net::CERT_STATUS_ALL_ERRORS]; | 141 status:net::CERT_STATUS_ALL_ERRORS]; |
| 195 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 142 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 196 net::CertStatus status; | 143 net::CertStatus status; |
| 197 DecidePolicy(invalid_trust_, kHostName, &policy, &status); | 144 DecidePolicy(invalid_trust_, kHostName, &policy, &status); |
| 198 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER, policy); | 145 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER, policy); |
| 199 EXPECT_EQ(net::CERT_STATUS_DATE_INVALID, status); | 146 EXPECT_TRUE(net::CERT_STATUS_AUTHORITY_INVALID & status); |
| 147 EXPECT_TRUE(net::CERT_STATUS_COMMON_NAME_INVALID & status); |
| 200 } | 148 } |
| 201 | 149 |
| 202 // Tests cert policy with null trust. | 150 // Tests cert policy with null trust. |
| 203 TEST_F(CRWCertVerificationControllerTest, PolicyForNullTrust) { | 151 TEST_F(CRWCertVerificationControllerTest, PolicyForNullTrust) { |
| 204 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_ALLOW; | 152 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_ALLOW; |
| 205 net::CertStatus status; | 153 net::CertStatus status; |
| 206 base::ScopedCFTypeRef<SecTrustRef> null_trust; | 154 base::ScopedCFTypeRef<SecTrustRef> null_trust; |
| 207 DecidePolicy(null_trust, kHostName, &policy, &status); | 155 DecidePolicy(null_trust, kHostName, &policy, &status); |
| 208 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); | 156 EXPECT_EQ(CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR, policy); |
| 209 EXPECT_EQ(net::CERT_STATUS_INVALID, status); | 157 EXPECT_EQ(net::CERT_STATUS_INVALID, status); |
| 210 } | 158 } |
| 211 | 159 |
| 212 // Tests cert policy with invalid trust and null host. | 160 // Tests cert policy with invalid trust and null host. |
| 213 TEST_F(CRWCertVerificationControllerTest, PolicyForNullHost) { | 161 TEST_F(CRWCertVerificationControllerTest, PolicyForNullHost) { |
| 214 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; | 162 web::CertAcceptPolicy policy = CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR; |
| 215 net::CertStatus status; | 163 net::CertStatus status; |
| 216 DecidePolicy(invalid_trust_, nil, &policy, &status); | 164 DecidePolicy(invalid_trust_, nil, &policy, &status); |
| 217 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER, policy); | 165 EXPECT_EQ(CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER, policy); |
| 218 EXPECT_EQ(net::CERT_STATUS_INVALID, status); | 166 EXPECT_TRUE(net::CERT_STATUS_AUTHORITY_INVALID & status); |
| 167 EXPECT_TRUE(net::CERT_STATUS_COMMON_NAME_INVALID & status); |
| 219 } | 168 } |
| 220 | 169 |
| 221 // Tests SSL status with valid trust. | 170 // Tests SSL status with valid trust. |
| 222 TEST_F(CRWCertVerificationControllerTest, SSLStatusForValidTrust) { | 171 TEST_F(CRWCertVerificationControllerTest, SSLStatusForValidTrust) { |
| 223 SecurityStyle style = SECURITY_STYLE_UNKNOWN; | 172 SecurityStyle style = SECURITY_STYLE_UNKNOWN; |
| 224 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; | 173 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; |
| 225 | 174 |
| 226 QueryStatus(valid_trust_, kHostName, &style, &status); | 175 QueryStatus(valid_trust_, kHostName, &style, &status); |
| 227 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATED, style); | 176 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATED, style); |
| 228 EXPECT_FALSE(status); | 177 EXPECT_FALSE(status); |
| 229 } | 178 } |
| 230 | 179 |
| 231 // Tests SSL status with invalid host. | 180 // Tests SSL status with invalid host. |
| 232 TEST_F(CRWCertVerificationControllerTest, SSLStatusForInvalidHost) { | 181 TEST_F(CRWCertVerificationControllerTest, SSLStatusForInvalidTrust) { |
| 233 net::CertVerifyResult result; | |
| 234 result.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID; | |
| 235 result.verified_cert = cert_; | |
| 236 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 237 result, | |
| 238 net::ERR_CERT_COMMON_NAME_INVALID); | |
| 239 | |
| 240 SecurityStyle style = SECURITY_STYLE_UNKNOWN; | 182 SecurityStyle style = SECURITY_STYLE_UNKNOWN; |
| 241 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; | 183 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; |
| 242 | 184 |
| 243 QueryStatus(invalid_trust_, kHostName, &style, &status); | 185 QueryStatus(invalid_trust_, kHostName, &style, &status); |
| 244 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATION_BROKEN, style); | 186 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATION_BROKEN, style); |
| 245 EXPECT_EQ(status, net::CERT_STATUS_COMMON_NAME_INVALID); | 187 EXPECT_TRUE(net::CERT_STATUS_AUTHORITY_INVALID & status); |
| 246 } | 188 EXPECT_TRUE(net::CERT_STATUS_COMMON_NAME_INVALID & status); |
| 247 | |
| 248 // Tests SSL status with expired cert. | |
| 249 TEST_F(CRWCertVerificationControllerTest, SSLStatusForExpiredTrust) { | |
| 250 net::CertVerifyResult result; | |
| 251 result.cert_status = net::CERT_STATUS_DATE_INVALID; | |
| 252 result.verified_cert = cert_; | |
| 253 cert_verifier_.AddResultForCertAndHost(cert_.get(), kHostName.UTF8String, | |
| 254 result, net::ERR_CERT_DATE_INVALID); | |
| 255 | |
| 256 SecurityStyle style = SECURITY_STYLE_UNKNOWN; | |
| 257 net::CertStatus status = net::CERT_STATUS_ALL_ERRORS; | |
| 258 | |
| 259 QueryStatus(invalid_trust_, kHostName, &style, &status); | |
| 260 EXPECT_EQ(SECURITY_STYLE_AUTHENTICATION_BROKEN, style); | |
| 261 EXPECT_EQ(net::CERT_STATUS_DATE_INVALID, status); | |
| 262 } | 189 } |
| 263 | 190 |
| 264 } // namespace web | 191 } // namespace web |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2225483002:
[ios] Removed CertVerifierBlockAdapter. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master