Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(289)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state_unittest.cc

Issue 2420203003: Turn off Expect-Staple reporting for private roots (Closed)
Patch Set: test fixes Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state_unittest.cc
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index bdc2dd2f1793a2c8b48c96b66e5d28277f8ad57c..93b75f39cb5c2c8e2441f20e24fccb1c4df5ff85 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -258,8 +258,7 @@ void CheckHPKPReport(
// 5. The "cert-status" field matches |cert_status|, and is not present when
// |cert_status| is empty.
// 6. The "validated-chain" and "serverd-chain" fields match those in
-// |ssl_info|, and are only present when |ssl_info.is_issued_by_known_root|
-// is true.
+// |ssl_info|.
void CheckSerializedExpectStapleReport(const std::string& report,
const HostPortPair& host_port_pair,
const SSLInfo& ssl_info,
@@ -318,18 +317,13 @@ void CheckSerializedExpectStapleReport(const std::string& report,
bool has_validated_chain = report_dict->GetList(
"validated-certificate-chain", &report_validated_certificate_chain);
- if (ssl_info.is_issued_by_known_root) {
- EXPECT_TRUE(has_served_chain);
- EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
- ssl_info.unverified_cert, report_served_certificate_chain));
+ EXPECT_TRUE(has_served_chain);
+ EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
+ ssl_info.unverified_cert, report_served_certificate_chain));
- EXPECT_TRUE(has_validated_chain);
- EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
- ssl_info.cert, report_validated_certificate_chain));
- } else {
- EXPECT_FALSE(has_served_chain);
- EXPECT_FALSE(has_validated_chain);
- }
+ EXPECT_TRUE(has_validated_chain);
+ EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
+ ssl_info.cert, report_validated_certificate_chain));
}
// Set up |state| for ExpectStaple, call CheckExpectStaple(), and verify the
@@ -345,6 +339,11 @@ void CheckExpectStapleReport(TransportSecurityState* state,
HostPortPair host_port(kExpectStapleStaticHostname, 443);
state->SetReportSender(reporter);
state->CheckExpectStaple(host_port, ssl_info, ocsp_response);
+ if (!ssl_info.is_issued_by_known_root) {
+ EXPECT_EQ(GURL(), reporter->latest_report_uri());
+ EXPECT_EQ(std::string(), reporter->latest_report());
+ return;
+ }
EXPECT_EQ(GURL(kExpectStapleStaticReportURI), reporter->latest_report_uri());
EXPECT_EQ("application/json; charset=utf-8", reporter->latest_content_type());
std::string serialized_report = reporter->latest_report();
@@ -2067,14 +2066,14 @@ TEST_P(ExpectStapleErrorResponseTest, CheckResponseStatusSerialization) {
ssl_info.unverified_cert = cert2;
ssl_info.ocsp_result.response_status = test.response_status;
- // Certificate chains should only be included when |is_issued_by_known_root|
- // is true.
+ // Reports should only be sent when |is_issued_by_known_root| is true.
ssl_info.is_issued_by_known_root = true;
ASSERT_NO_FATAL_FAILURE(
CheckExpectStapleReport(&state, &reporter, ssl_info, ocsp_response,
test.response_status_string, std::string()));
+ reporter.Clear();
- // No certificate chains should be included in the report.
+ // No report should be sent.
ssl_info.is_issued_by_known_root = false;
ASSERT_NO_FATAL_FAILURE(
CheckExpectStapleReport(&state, &reporter, ssl_info, ocsp_response,
@@ -2122,14 +2121,13 @@ TEST_P(ExpectStapleErrorCertStatusTest, CheckCertStatusSerialization) {
ssl_info.ocsp_result.response_status = OCSPVerifyResult::PROVIDED;
ssl_info.ocsp_result.revocation_status = test.revocation_status;
- // Certificate chains should only be included when |is_issued_by_known_root|
- // is true.
+ // Reports should only be sent when |is_issued_by_known_root| is true.
ssl_info.is_issued_by_known_root = true;
ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport(&state, &reporter, ssl_info,
ocsp_response, "PROVIDED",
test.cert_status_string));
+ reporter.Clear();
- // No certificate chains should be included in the report.
ssl_info.is_issued_by_known_root = false;
ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport(&state, &reporter, ssl_info,
ocsp_response, "PROVIDED",
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698