| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <utility> | 6 #include <utility> |
| 7 | 7 |
| 8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
| (...skipping 8988 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8999 anchors */, | 8999 anchors */, |
| 9000 false /* token binding enabled */)); | 9000 false /* token binding enabled */)); |
| 9001 } | 9001 } |
| 9002 | 9002 |
| 9003 std::unique_ptr<ScopedTestRoot> test_root_; | 9003 std::unique_ptr<ScopedTestRoot> test_root_; |
| 9004 TestURLRequestContext context_; | 9004 TestURLRequestContext context_; |
| 9005 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; | 9005 std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_; |
| 9006 }; | 9006 }; |
| 9007 | 9007 |
| 9008 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { | 9008 static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { |
| 9009 #if defined(OS_WIN) | 9009 #if defined(OS_WIN) || defined(OS_MACOSX) |
| 9010 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't | 9010 // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| 9011 // have that ability on other platforms. | 9011 // have that ability on other platforms. |
| 9012 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; | 9012 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| 9013 #else | 9013 #else |
| 9014 return 0; | 9014 return 0; |
| 9015 #endif | 9015 #endif |
| 9016 } | 9016 } |
| 9017 | 9017 |
| 9018 // SystemSupportsHardFailRevocationChecking returns true iff the current | 9018 // SystemSupportsHardFailRevocationChecking returns true iff the current |
| 9019 // operating system supports revocation checking and can distinguish between | 9019 // operating system supports revocation checking and can distinguish between |
| (...skipping 20 matching lines...) Expand all Loading... |
| 9040 return false; | 9040 return false; |
| 9041 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) | 9041 #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID) |
| 9042 // On OS X and Android, we use the system to tell us whether a certificate is | 9042 // On OS X and Android, we use the system to tell us whether a certificate is |
| 9043 // EV or not and the system won't recognise our testing root. | 9043 // EV or not and the system won't recognise our testing root. |
| 9044 return false; | 9044 return false; |
| 9045 #else | 9045 #else |
| 9046 return true; | 9046 return true; |
| 9047 #endif | 9047 #endif |
| 9048 } | 9048 } |
| 9049 | 9049 |
| 9050 // Returns the expected CertStatus for tests that expect an online revocation |
| 9051 // check failure as a result of checking a test EV cert, which will not |
| 9052 // actually trigger an online revocation check on some platforms. |
| 9053 static CertStatus ExpectedCertStatusForFailedOnlineEVRevocationCheck() { |
| 9054 if (SystemUsesChromiumEVMetadata()) { |
| 9055 return ExpectedCertStatusForFailedOnlineRevocationCheck(); |
| 9056 } else { |
| 9057 // If SystemUsesChromiumEVMetadata is false, revocation checking will not |
| 9058 // be enabled, and thus there will not be a revocation check to fail. |
| 9059 return 0u; |
| 9060 } |
| 9061 } |
| 9062 |
| 9050 static bool SystemSupportsOCSP() { | 9063 static bool SystemSupportsOCSP() { |
| 9051 #if defined(OS_ANDROID) | 9064 #if defined(OS_ANDROID) |
| 9052 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 9065 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 9053 return false; | 9066 return false; |
| 9054 #else | 9067 #else |
| 9055 return true; | 9068 return true; |
| 9056 #endif | 9069 #endif |
| 9057 } | 9070 } |
| 9058 | 9071 |
| 9059 static bool SystemSupportsOCSPStapling() { | 9072 static bool SystemSupportsOCSPStapling() { |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9091 return; | 9104 return; |
| 9092 } | 9105 } |
| 9093 | 9106 |
| 9094 SpawnedTestServer::SSLOptions ssl_options( | 9107 SpawnedTestServer::SSLOptions ssl_options( |
| 9095 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9108 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9096 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; | 9109 ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED; |
| 9097 | 9110 |
| 9098 CertStatus cert_status; | 9111 CertStatus cert_status; |
| 9099 DoConnection(ssl_options, &cert_status); | 9112 DoConnection(ssl_options, &cert_status); |
| 9100 | 9113 |
| 9101 #if !(defined(OS_MACOSX) && !defined(OS_IOS)) | |
| 9102 // Doesn't pass on OS X yet for reasons that need to be investigated. | |
| 9103 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); | 9114 EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS); |
| 9104 #endif | |
| 9105 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9115 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9106 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); | 9116 EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| 9107 } | 9117 } |
| 9108 | 9118 |
| 9109 TEST_F(HTTPSOCSPTest, Invalid) { | 9119 TEST_F(HTTPSOCSPTest, Invalid) { |
| 9110 if (!SystemSupportsOCSP()) { | 9120 if (!SystemSupportsOCSP()) { |
| 9111 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9121 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| 9112 return; | 9122 return; |
| 9113 } | 9123 } |
| 9114 | 9124 |
| (...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9601 | 9611 |
| 9602 SpawnedTestServer::SSLOptions ssl_options( | 9612 SpawnedTestServer::SSLOptions ssl_options( |
| 9603 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9613 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9604 ssl_options.ocsp_status = | 9614 ssl_options.ocsp_status = |
| 9605 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9615 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9606 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); | 9616 SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| 9607 | 9617 |
| 9608 CertStatus cert_status; | 9618 CertStatus cert_status; |
| 9609 DoConnection(ssl_options, &cert_status); | 9619 DoConnection(ssl_options, &cert_status); |
| 9610 | 9620 |
| 9611 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9621 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9612 cert_status & CERT_STATUS_ALL_ERRORS); | 9622 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9613 | 9623 |
| 9614 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9624 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9615 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9625 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9616 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9626 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9617 } | 9627 } |
| 9618 | 9628 |
| 9619 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { | 9629 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) { |
| 9620 if (!SystemSupportsOCSP()) { | 9630 if (!SystemSupportsOCSP()) { |
| 9621 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9631 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9675 SpawnedTestServer::SSLOptions ssl_options( | 9685 SpawnedTestServer::SSLOptions ssl_options( |
| 9676 SpawnedTestServer::SSLOptions::CERT_AUTO); | 9686 SpawnedTestServer::SSLOptions::CERT_AUTO); |
| 9677 ssl_options.ocsp_status = | 9687 ssl_options.ocsp_status = |
| 9678 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9688 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9679 SSLConfigService::SetCRLSet( | 9689 SSLConfigService::SetCRLSet( |
| 9680 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); | 9690 scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| 9681 | 9691 |
| 9682 CertStatus cert_status; | 9692 CertStatus cert_status; |
| 9683 DoConnection(ssl_options, &cert_status); | 9693 DoConnection(ssl_options, &cert_status); |
| 9684 | 9694 |
| 9685 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9695 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9686 cert_status & CERT_STATUS_ALL_ERRORS); | 9696 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9687 | 9697 |
| 9688 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9698 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9689 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9699 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9690 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9700 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9691 } | 9701 } |
| 9692 | 9702 |
| 9693 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { | 9703 TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) { |
| 9694 if (!SystemSupportsOCSP()) { | 9704 if (!SystemSupportsOCSP()) { |
| 9695 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; | 9705 LOG(WARNING) << "Skipping test because system doesn't support OCSP"; |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9728 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; | 9738 SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE; |
| 9729 SSLConfigService::SetCRLSet( | 9739 SSLConfigService::SetCRLSet( |
| 9730 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); | 9740 scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| 9731 | 9741 |
| 9732 CertStatus cert_status = 0; | 9742 CertStatus cert_status = 0; |
| 9733 DoConnection(ssl_options, &cert_status); | 9743 DoConnection(ssl_options, &cert_status); |
| 9734 | 9744 |
| 9735 // Even with a fresh CRLSet, we should still do online revocation checks when | 9745 // Even with a fresh CRLSet, we should still do online revocation checks when |
| 9736 // the certificate chain isn't covered by the CRLSet, which it isn't in this | 9746 // the certificate chain isn't covered by the CRLSet, which it isn't in this |
| 9737 // test. | 9747 // test. |
| 9738 EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), | 9748 EXPECT_EQ(ExpectedCertStatusForFailedOnlineEVRevocationCheck(), |
| 9739 cert_status & CERT_STATUS_ALL_ERRORS); | 9749 cert_status & CERT_STATUS_ALL_ERRORS); |
| 9740 | 9750 |
| 9741 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); | 9751 EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| 9742 EXPECT_EQ(SystemUsesChromiumEVMetadata(), | 9752 EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| 9743 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); | 9753 static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED)); |
| 9744 } | 9754 } |
| 9745 | 9755 |
| 9746 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { | 9756 TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { |
| 9747 // Test that when EV verification is requested, but online revocation | 9757 // Test that when EV verification is requested, but online revocation |
| 9748 // checking is disabled, and the leaf certificate is not in fact EV, that | 9758 // checking is disabled, and the leaf certificate is not in fact EV, that |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 10192 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 10202 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
| 10193 | 10203 |
| 10194 req->Start(); | 10204 req->Start(); |
| 10195 req->Cancel(); | 10205 req->Cancel(); |
| 10196 base::RunLoop().RunUntilIdle(); | 10206 base::RunLoop().RunUntilIdle(); |
| 10197 EXPECT_EQ(ERR_ABORTED, d.request_status()); | 10207 EXPECT_EQ(ERR_ABORTED, d.request_status()); |
| 10198 EXPECT_EQ(0, d.received_redirect_count()); | 10208 EXPECT_EQ(0, d.received_redirect_count()); |
| 10199 } | 10209 } |
| 10200 | 10210 |
| 10201 } // namespace net | 10211 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2362533002:
Try #2: CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop. (Closed)
