| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
| 15 #include "base/strings/string_number_conversions.h" | 15 #include "base/strings/string_number_conversions.h" |
| 16 #include "base/test/histogram_tester.h" |
| 16 #include "build/build_config.h" | 17 #include "build/build_config.h" |
| 17 #include "crypto/sha2.h" | 18 #include "crypto/sha2.h" |
| 18 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 19 #include "net/cert/asn1_util.h" | 20 #include "net/cert/asn1_util.h" |
| 20 #include "net/cert/cert_status_flags.h" | 21 #include "net/cert/cert_status_flags.h" |
| 21 #include "net/cert/cert_verifier.h" | 22 #include "net/cert/cert_verifier.h" |
| 22 #include "net/cert/cert_verify_result.h" | 23 #include "net/cert/cert_verify_result.h" |
| 23 #include "net/cert/crl_set.h" | 24 #include "net/cert/crl_set.h" |
| 24 #include "net/cert/crl_set_storage.h" | 25 #include "net/cert/crl_set_storage.h" |
| 25 #include "net/cert/test_root_certs.h" | 26 #include "net/cert/test_root_certs.h" |
| (...skipping 15 matching lines...) Expand all Loading... |
| 41 | 42 |
| 42 using net::test::IsError; | 43 using net::test::IsError; |
| 43 using net::test::IsOk; | 44 using net::test::IsOk; |
| 44 | 45 |
| 45 using base::HexEncode; | 46 using base::HexEncode; |
| 46 | 47 |
| 47 namespace net { | 48 namespace net { |
| 48 | 49 |
| 49 namespace { | 50 namespace { |
| 50 | 51 |
| 52 const char kTLSFeatureExtensionHistogram[] = |
| 53 "Net.Certificate.TLSFeatureExtensionWithPrivateRoot"; |
| 54 const char kTLSFeatureExtensionOCSPHistogram[] = |
| 55 "Net.Certificate.TLSFeatureExtensionWithPrivateRootHasOCSP"; |
| 56 |
| 51 // Mock CertVerifyProc that sets the CertVerifyResult to a given value for | 57 // Mock CertVerifyProc that sets the CertVerifyResult to a given value for |
| 52 // all certificates that are Verify()'d | 58 // all certificates that are Verify()'d |
| 53 class MockCertVerifyProc : public CertVerifyProc { | 59 class MockCertVerifyProc : public CertVerifyProc { |
| 54 public: | 60 public: |
| 55 explicit MockCertVerifyProc(const CertVerifyResult& result) | 61 explicit MockCertVerifyProc(const CertVerifyResult& result) |
| 56 : result_(result) {} | 62 : result_(result) {} |
| 57 // CertVerifyProc implementation: | 63 // CertVerifyProc implementation: |
| 58 bool SupportsAdditionalTrustAnchors() const override { return false; } | 64 bool SupportsAdditionalTrustAnchors() const override { return false; } |
| 59 bool SupportsOCSPStapling() const override { return false; } | 65 bool SupportsOCSPStapling() const override { return false; } |
| 60 | 66 |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 157 int Verify(X509Certificate* cert, | 163 int Verify(X509Certificate* cert, |
| 158 const std::string& hostname, | 164 const std::string& hostname, |
| 159 int flags, | 165 int flags, |
| 160 CRLSet* crl_set, | 166 CRLSet* crl_set, |
| 161 const CertificateList& additional_trust_anchors, | 167 const CertificateList& additional_trust_anchors, |
| 162 CertVerifyResult* verify_result) { | 168 CertVerifyResult* verify_result) { |
| 163 return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set, | 169 return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set, |
| 164 additional_trust_anchors, verify_result); | 170 additional_trust_anchors, verify_result); |
| 165 } | 171 } |
| 166 | 172 |
| 173 int VerifyWithOCSPResponse(X509Certificate* cert, |
| 174 const std::string& hostname, |
| 175 const std::string& ocsp_response, |
| 176 int flags, |
| 177 CRLSet* crl_set, |
| 178 const CertificateList& additional_trust_anchors, |
| 179 CertVerifyResult* verify_result) { |
| 180 return verify_proc_->Verify(cert, hostname, ocsp_response, flags, crl_set, |
| 181 additional_trust_anchors, verify_result); |
| 182 } |
| 183 |
| 167 const CertificateList empty_cert_list_; | 184 const CertificateList empty_cert_list_; |
| 168 scoped_refptr<CertVerifyProc> verify_proc_; | 185 scoped_refptr<CertVerifyProc> verify_proc_; |
| 169 }; | 186 }; |
| 170 | 187 |
| 171 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS) | 188 #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS) |
| 172 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. | 189 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| 173 #define MAYBE_EVVerification DISABLED_EVVerification | 190 #define MAYBE_EVVerification DISABLED_EVVerification |
| 174 #else | 191 #else |
| 175 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer | 192 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer |
| 176 // expired, http://crbug.com/502818 | 193 // expired, http://crbug.com/502818 |
| (...skipping 1660 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1837 // large_key.pem may need to be regenerated with a larger key. | 1854 // large_key.pem may need to be regenerated with a larger key. |
| 1838 int flags = 0; | 1855 int flags = 0; |
| 1839 CertVerifyResult verify_result; | 1856 CertVerifyResult verify_result; |
| 1840 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, | 1857 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1841 &verify_result); | 1858 &verify_result); |
| 1842 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); | 1859 EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); |
| 1843 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); | 1860 EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
| 1844 } | 1861 } |
| 1845 #endif // defined(OS_MACOSX) && !defined(OS_IOS) | 1862 #endif // defined(OS_MACOSX) && !defined(OS_IOS) |
| 1846 | 1863 |
| 1864 // Tests that CertVerifyProc records a histogram correctly when a |
| 1865 // certificate chaining to a private root contains the TLS feature |
| 1866 // extension and does not have a stapled OCSP response. |
| 1867 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) { |
| 1868 base::HistogramTester histograms; |
| 1869 scoped_refptr<X509Certificate> cert( |
| 1870 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1871 CertVerifyResult result; |
| 1872 result.is_issued_by_known_root = false; |
| 1873 result.verified_cert = cert; |
| 1874 verify_proc_ = new MockCertVerifyProc(result); |
| 1875 |
| 1876 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1877 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1878 |
| 1879 int flags = 0; |
| 1880 CertVerifyResult verify_result; |
| 1881 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1882 &verify_result); |
| 1883 EXPECT_EQ(OK, error); |
| 1884 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1885 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 1886 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 1887 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1); |
| 1888 } |
| 1889 |
| 1890 // Tests that CertVerifyProc records a histogram correctly when a |
| 1891 // certificate chaining to a private root contains the TLS feature |
| 1892 // extension and does have a stapled OCSP response. |
| 1893 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) { |
| 1894 base::HistogramTester histograms; |
| 1895 scoped_refptr<X509Certificate> cert( |
| 1896 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1897 CertVerifyResult result; |
| 1898 result.is_issued_by_known_root = false; |
| 1899 result.verified_cert = cert; |
| 1900 verify_proc_ = new MockCertVerifyProc(result); |
| 1901 |
| 1902 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1903 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1904 |
| 1905 int flags = 0; |
| 1906 CertVerifyResult verify_result; |
| 1907 int error = |
| 1908 VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags, |
| 1909 NULL, empty_cert_list_, &verify_result); |
| 1910 EXPECT_EQ(OK, error); |
| 1911 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1912 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1); |
| 1913 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1); |
| 1914 histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1); |
| 1915 } |
| 1916 |
| 1917 // Tests that CertVerifyProc records a histogram correctly when a |
| 1918 // certificate chaining to a private root does not contain the TLS feature |
| 1919 // extension. |
| 1920 TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) { |
| 1921 base::HistogramTester histograms; |
| 1922 scoped_refptr<X509Certificate> cert( |
| 1923 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem")); |
| 1924 CertVerifyResult result; |
| 1925 result.is_issued_by_known_root = false; |
| 1926 result.verified_cert = cert; |
| 1927 verify_proc_ = new MockCertVerifyProc(result); |
| 1928 |
| 1929 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1930 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1931 |
| 1932 int flags = 0; |
| 1933 CertVerifyResult verify_result; |
| 1934 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1935 &verify_result); |
| 1936 EXPECT_EQ(OK, error); |
| 1937 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1); |
| 1938 histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1); |
| 1939 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1940 } |
| 1941 |
| 1942 // Tests that CertVerifyProc does not record a histogram when a |
| 1943 // certificate contains the TLS feature extension but chains to a public |
| 1944 // root. |
| 1945 TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) { |
| 1946 base::HistogramTester histograms; |
| 1947 scoped_refptr<X509Certificate> cert( |
| 1948 ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem")); |
| 1949 CertVerifyResult result; |
| 1950 result.is_issued_by_known_root = true; |
| 1951 result.verified_cert = cert; |
| 1952 verify_proc_ = new MockCertVerifyProc(result); |
| 1953 |
| 1954 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1955 |
| 1956 int flags = 0; |
| 1957 CertVerifyResult verify_result; |
| 1958 int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
| 1959 &verify_result); |
| 1960 EXPECT_EQ(OK, error); |
| 1961 histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0); |
| 1962 histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0); |
| 1963 } |
| 1964 |
| 1847 } // namespace net | 1965 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2436233002:
Record UMA metrics for Must-Staple certificates on private roots (Closed)
