| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 8984 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8995 anchors */, | 8995 anchors */, |
| 8996 false /* token binding enabled */)); | 8996 false /* token binding enabled */)); |
| 8997 } | 8997 } |
| 8998 | 8998 |
| 8999 std::unique_ptr<ScopedTestRoot> test_root_; | 8999 std::unique_ptr<ScopedTestRoot> test_root_; |
| 9000 TestURLRequestContext context_; | 9000 TestURLRequestContext context_; |
| 9001 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; | 9001 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; |
| 9002 }; | 9002 }; |
| 9003 | 9003 |
| 9004 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { | 9004 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { |
| 9005 #if defined(OS_WIN) || defined(OS_MACOSX) | 9005 #if defined(OS_WIN) |
| 9006 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't | 9006 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| 9007 // have that ability on other platforms. | 9007 // have that ability on other platforms. |
| 9008 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; | 9008 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| 9009 #else | 9009 #else |
| 9010 return 0; | 9010 return 0; |
| 9011 #endif | 9011 #endif |
| 9012 } | 9012 } |
| 9013 | 9013 |
| 9014 // SystemSupportsHardFailRevocationChecking returns true iff the current | 9014 // SystemSupportsHardFailRevocationChecking returns true iff the current |
| 9015 // operating system supports revocation checking and can distinguish between | 9015 // operating system supports revocation checking and can distinguish between |
| (...skipping 20 matching lines...) Expand all Loading... |
| 9036 return false; | 9036 return false; |
| 9037 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) | 9037 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) |
| 9038 // On OS X and Android, we use the system to tell us whether a certificate is | 9038 // On OS X and Android, we use the system to tell us whether a certificate is |
| 9039 // EV or not and the system won't recognise our testing root. | 9039 // EV or not and the system won't recognise our testing root. |
| 9040 return false; | 9040 return false; |
| 9041 #else | 9041 #else |
| 9042 return true; | 9042 return true; |
| 9043 #endif | 9043 #endif |
| 9044 } | 9044 } |
| 9045 | 9045 |
| 9046 // Returns the expected CertStatus for tests that expect an online revocation | |
| 9047 // check failure as a result of checking a test EV cert, which will not | |
| 9048 // actually trigger an online revocation check on some platforms. | |
| 9049 static CertStatus ExpectedCertStatusForFailedOnlineEVRevocationCheck() { | |
| 9050 if (SystemUsesChromiumEVMetadata()) { | |
| 9051 return ExpectedCertStatusForFailedOnlineRevocationCheck(); | |
| 9052 } else { | |
| 9053 // If SystemUsesChromiumEVMetadata is false, revocation checking will not | |
| 9054 // be enabled, and thus there will not be a revocation check to fail. | |
| 9055 return 0u; | |
| 9056 } | |
| 9057 } | |
| 9058 | |
| 9059 static bool SystemSupportsOCSP() { | 9046 static bool SystemSupportsOCSP() { |
| 9060 #if defined(OS_ANDROID) | 9047 #if defined(OS_ANDROID) |
| 9061 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 9048 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 9062 return false; | 9049 return false; |
| 9063 #else | 9050 #else |
| 9064 return true; | 9051 return true; |
| 9065 #endif | 9052 #endif |
| 9066 } | 9053 } |
| 9067 | 9054 |
| 9068 static bool SystemSupportsOCSPStapling() { | 9055 static bool SystemSupportsOCSPStapling() { |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9100 return; | 9087 return; |
| 9101 } | 9088 } |
| 9102 | 9089 |
| 9103 SpawnedTestServer::SSLOptions ssl_options( | 9090 SpawnedTestServer::SSLOptions ssl_options( |
| 9104 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9091 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9105 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; | 9092 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; |
| 9106 | 9093 |
| 9107 CertStatus cert_status; | 9094 CertStatus cert_status; |
| 9108 DoConnection(ssl_options, &cert_status); | 9095 DoConnection(ssl_options, &cert_status); |
| 9109 | 9096 |
| 9097 #if !(defined(OS_MACOSX) && !defined(OS_IOS)) |
| 9098 // Doesn't pass on OS X yet for reasons that need to be investigated. |
| 9110 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9099 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9100 #endif |
| 9111 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9101 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9112 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9102 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9113 } | 9103 } |
| 9114 | 9104 |
| 9115 TEST_F(HTTPSOCSPTest, Invalid) { | 9105 TEST_F(HTTPSOCSPTest, Invalid) { |
| 9116 if (!SystemSupportsOCSP()) { | 9106 if (!SystemSupportsOCSP()) { |
| 9117 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9107 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9118 return; | 9108 return; |
| 9119 } | 9109 } |
| 9120 | 9110 |
| (...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9607 | 9597 |
| 9608 SpawnedTestServer::SSLOptions ssl_options( | 9598 SpawnedTestServer::SSLOptions ssl_options( |
| 9609 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9599 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9610 ssl_options.ocsp_status = | 9600 ssl_options.ocsp_status = |
| 9611 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9601 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9612 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 9602 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 9613 | 9603 |
| 9614 CertStatus cert_status; | 9604 CertStatus cert_status; |
| 9615 DoConnection(ssl_options, &cert_status); | 9605 DoConnection(ssl_options, &cert_status); |
| 9616 | 9606 |
| 9617 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), | 9607 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9618 cert_status & CERT_STATUS_ALL_ERRORS); | 9608 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9619 | 9609 |
| 9620 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9610 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9621 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9611 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9622 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9612 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9623 } | 9613 } |
| 9624 | 9614 |
| 9625 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { | 9615 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { |
| 9626 if (!SystemSupportsOCSP()) { | 9616 if (!SystemSupportsOCSP()) { |
| 9627 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9617 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9681 SpawnedTestServer::SSLOptions ssl_options( | 9671 SpawnedTestServer::SSLOptions ssl_options( |
| 9682 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9672 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9683 ssl_options.ocsp_status = | 9673 ssl_options.ocsp_status = |
| 9684 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9674 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9685 SSLConfigService::SetCRLSet( | 9675 SSLConfigService::SetCRLSet( |
| 9686 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9676 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9687 | 9677 |
| 9688 CertStatus cert_status; | 9678 CertStatus cert_status; |
| 9689 DoConnection(ssl_options, &cert_status); | 9679 DoConnection(ssl_options, &cert_status); |
| 9690 | 9680 |
| 9691 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), | 9681 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9692 cert_status & CERT_STATUS_ALL_ERRORS); | 9682 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9693 | 9683 |
| 9694 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9684 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9695 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9685 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9696 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9686 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9697 } | 9687 } |
| 9698 | 9688 |
| 9699 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { | 9689 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { |
| 9700 if (!SystemSupportsOCSP()) { | 9690 if (!SystemSupportsOCSP()) { |
| 9701 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9691 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9734 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9724 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9735 SSLConfigService::SetCRLSet( | 9725 SSLConfigService::SetCRLSet( |
| 9736 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 9726 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 9737 | 9727 |
| 9738 CertStatus cert_status = 0; | 9728 CertStatus cert_status = 0; |
| 9739 DoConnection(ssl_options, &cert_status); | 9729 DoConnection(ssl_options, &cert_status); |
| 9740 | 9730 |
| 9741 // Even with a fresh CRLSet, we should still do online revocation checks when | 9731 // Even with a fresh CRLSet, we should still do online revocation checks when |
| 9742 // the certificate chain isn't covered by the CRLSet, which it isn't in this | 9732 // the certificate chain isn't covered by the CRLSet, which it isn't in this |
| 9743 // test. | 9733 // test. |
| 9744 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), | 9734 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| 9745 cert_status & CERT_STATUS_ALL_ERRORS); | 9735 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9746 | 9736 |
| 9747 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9737 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9748 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9738 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9749 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9739 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9750 } | 9740 } |
| 9751 | 9741 |
| 9752 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { | 9742 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { |
| 9753 // Test that when EV verification is requested, but online revocation | 9743 // Test that when EV verification is requested, but online revocation |
| 9754 // checking is disabled, and the leaf certificate is not in fact EV, that | 9744 // checking is disabled, and the leaf certificate is not in fact EV, that |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10198 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10188 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 10199 | 10189 |
| 10200 req->Start(); | 10190 req->Start(); |
| 10201 req->Cancel(); | 10191 req->Cancel(); |
| 10202 base::RunLoop().RunUntilIdle(); | 10192 base::RunLoop().RunUntilIdle(); |
| 10203 EXPECT_EQ(ERR_ABORTED, d.request_status()); | 10193 EXPECT_EQ(ERR_ABORTED, d.request_status()); |
| 10204 EXPECT_EQ(0, d.received_redirect_count()); | 10194 EXPECT_EQ(0, d.received_redirect_count()); |
| 10205 } | 10195 } |
| 10206 | 10196 |
| 10207 } // namespace net | 10197 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2347893002:
Revert of CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master