Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(561)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/url_request/url_request_unittest.cc

Issue 2587243002: Do not do Expect-Staple when OCSPVerifyResult has not been populated (Closed)
Patch Set: sleevi comments; revert to not sending reports on cert errors Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/url_request/url_request_unittest.cc
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 60920ef3de116317c49efeddd53b1a18670379a7..b1c013ce2417e70d5caf17e962762c4ef854602f 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -9619,6 +9619,65 @@ TEST_F(HTTPSOCSPTest, ExpectStapleReportSentOnMissing) {
mock_report_sender.latest_report_uri());
}
+// Tests that Expect-Staple reports are not sent for connections on which there
estark 2016/12/21 17:53:12 Just in case this is confusing: In PS #1, this wa
+// is a certificate error.
+TEST_F(HTTPSOCSPTest, ExpectStapleReportNotSentOnMissingWithCertError) {
+ EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
+ https_test_server.SetSSLConfig(
+ net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
+ https_test_server.ServeFilesFromSourceDirectory(
+ base::FilePath(kTestFilePath));
+ ASSERT_TRUE(https_test_server.Start());
+
+ // Set up a MockCertVerifier to report an error for the certificate
+ // and indicate that there was no stapled OCSP response.
+ scoped_refptr<X509Certificate> cert = https_test_server.GetCertificate();
+ ASSERT_TRUE(cert);
+ MockCertVerifier cert_verifier;
+ CertVerifyResult verify_result;
+ verify_result.cert_status = CERT_STATUS_DATE_INVALID;
+ verify_result.verified_cert = cert;
+ verify_result.is_issued_by_known_root = true;
+ verify_result.ocsp_result.response_status = OCSPVerifyResult::MISSING;
+ cert_verifier.AddResultForCert(cert.get(), verify_result,
+ ERR_CERT_DATE_INVALID);
+
+ // Set up a mock report sender so that the test can check that an
+ // Expect-Staple report is not sent.
+ TransportSecurityState transport_security_state;
+ MockCertificateReportSender mock_report_sender;
+ transport_security_state.SetReportSender(&mock_report_sender);
+
+ TestNetworkDelegate network_delegate;
+ TestURLRequestContext context(true);
+
+ // Force |kExpectStapleStaticHostname| to resolve to |https_test_server|.
+ MockHostResolver host_resolver;
+ context.set_host_resolver(&host_resolver);
+
+ context.set_transport_security_state(&transport_security_state);
+ context.set_network_delegate(&network_delegate);
+ context.set_cert_verifier(&cert_verifier);
+ context.Init();
+
+ // Make a connection to |kExpectStapleStaticHostname|. Because the
+ // |verify_result| used with the |cert_verifier| will indicate a certificate
+ // error, an Expect-Staple report should not be sent.
+ TestDelegate d;
+ GURL url = https_test_server.GetURL("/");
+ GURL::Replacements replace_host;
+ replace_host.SetHostStr(kExpectStapleStaticHostname);
+ url = url.ReplaceComponents(replace_host);
+ std::unique_ptr<URLRequest> violating_request(
+ context.CreateRequest(url, DEFAULT_PRIORITY, &d));
+ violating_request->Start();
+ base::RunLoop().Run();
+
+ // Confirm a report was not sent.
+ EXPECT_TRUE(mock_report_sender.latest_report().empty());
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+}
+
TEST_F(HTTPSOCSPTest, ExpectStapleReportNotSentOnValid) {
EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
https_test_server.SetSSLConfig(
@@ -9671,6 +9730,65 @@ TEST_F(HTTPSOCSPTest, ExpectStapleReportNotSentOnValid) {
EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
}
+// Tests that an Expect-Staple report is not sent when OCSP details are not
+// checked on the connection.
+TEST_F(HTTPSOCSPTest, ExpectStapleReportNotSentOnNotChecked) {
+ EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
+ https_test_server.SetSSLConfig(
+ net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
+ https_test_server.ServeFilesFromSourceDirectory(
+ base::FilePath(kTestFilePath));
+ ASSERT_TRUE(https_test_server.Start());
+
+ // Set up a MockCertVerifier to accept the certificate that the server sends,
+ // and set |ocsp_result| to indicate that OCSP stapling details were not
+ // checked on the connection.
+ scoped_refptr<X509Certificate> cert = https_test_server.GetCertificate();
+ ASSERT_TRUE(cert);
+ MockCertVerifier cert_verifier;
+ CertVerifyResult verify_result;
+ verify_result.verified_cert = cert;
+ verify_result.is_issued_by_known_root = true;
+ verify_result.ocsp_result.response_status = OCSPVerifyResult::NOT_CHECKED;
+ cert_verifier.AddResultForCert(cert.get(), verify_result, OK);
+
+ // Set up a mock report sender so that the test can check that an
+ // Expect-Staple report is not sent.
+ TransportSecurityState transport_security_state;
+ MockCertificateReportSender mock_report_sender;
+ transport_security_state.SetReportSender(&mock_report_sender);
+
+ TestNetworkDelegate network_delegate;
+ TestURLRequestContext context(true);
+
+ // Force |kExpectStapleStaticHostname| to resolve to |https_test_server|.
+ MockHostResolver host_resolver;
+ context.set_host_resolver(&host_resolver);
+
+ context.set_transport_security_state(&transport_security_state);
+ context.set_network_delegate(&network_delegate);
+ context.set_cert_verifier(&cert_verifier);
+ context.Init();
+
+ // Make a connection to |kExpectStapleStaticHostname|. Because the
+ // |verify_result| used with the |cert_verifier| will indicate that OCSP
+ // stapling details were not checked on the connection, an Expect-Staple
+ // report should not be sent.
+ TestDelegate d;
+ GURL url = https_test_server.GetURL("/");
+ GURL::Replacements replace_host;
+ replace_host.SetHostStr(kExpectStapleStaticHostname);
+ url = url.ReplaceComponents(replace_host);
+ std::unique_ptr<URLRequest> ok_request(
+ context.CreateRequest(url, DEFAULT_PRIORITY, &d));
+ ok_request->Start();
+ base::RunLoop().Run();
+
+ // Check that no report was sent.
+ EXPECT_TRUE(mock_report_sender.latest_report().empty());
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
+}
+
static const struct OCSPVerifyTestData {
std::vector<SpawnedTestServer::SSLOptions::OCSPSingleResponse> ocsp_responses;
SpawnedTestServer::SSLOptions::OCSPProduced ocsp_produced;
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698