| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 12 matching lines...) Expand all Loading... |
| 23 #include "base/trace_event/trace_event_argument.h" | 23 #include "base/trace_event/trace_event_argument.h" |
| 24 #include "base/values.h" | 24 #include "base/values.h" |
| 25 #include "net/base/address_list.h" | 25 #include "net/base/address_list.h" |
| 26 #include "net/base/io_buffer.h" | 26 #include "net/base/io_buffer.h" |
| 27 #include "net/base/net_errors.h" | 27 #include "net/base/net_errors.h" |
| 28 #include "net/base/test_completion_callback.h" | 28 #include "net/base/test_completion_callback.h" |
| 29 #include "net/cert/asn1_util.h" | 29 #include "net/cert/asn1_util.h" |
| 30 #include "net/cert/ct_policy_enforcer.h" | 30 #include "net/cert/ct_policy_enforcer.h" |
| 31 #include "net/cert/ct_policy_status.h" | 31 #include "net/cert/ct_policy_status.h" |
| 32 #include "net/cert/ct_verifier.h" | 32 #include "net/cert/ct_verifier.h" |
| 33 #include "net/cert/do_nothing_ct_verifier.h" |
| 33 #include "net/cert/mock_cert_verifier.h" | 34 #include "net/cert/mock_cert_verifier.h" |
| 34 #include "net/cert/signed_certificate_timestamp_and_status.h" | 35 #include "net/cert/signed_certificate_timestamp_and_status.h" |
| 35 #include "net/cert/test_root_certs.h" | 36 #include "net/cert/test_root_certs.h" |
| 36 #include "net/der/input.h" | 37 #include "net/der/input.h" |
| 37 #include "net/der/parser.h" | 38 #include "net/der/parser.h" |
| 38 #include "net/der/tag.h" | 39 #include "net/der/tag.h" |
| 39 #include "net/dns/host_resolver.h" | 40 #include "net/dns/host_resolver.h" |
| 40 #include "net/http/transport_security_state.h" | 41 #include "net/http/transport_security_state.h" |
| 41 #include "net/log/net_log_event_type.h" | 42 #include "net/log/net_log_event_type.h" |
| 42 #include "net/log/net_log_source.h" | 43 #include "net/log/net_log_source.h" |
| (...skipping 656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 699 int GetChannelIDCount() override { return 0; } | 700 int GetChannelIDCount() override { return 0; } |
| 700 void SetForceKeepSessionState() override {} | 701 void SetForceKeepSessionState() override {} |
| 701 bool IsEphemeral() override { return true; } | 702 bool IsEphemeral() override { return true; } |
| 702 }; | 703 }; |
| 703 | 704 |
| 704 // A mock CTVerifier that records every call to Verify but doesn't verify | 705 // A mock CTVerifier that records every call to Verify but doesn't verify |
| 705 // anything. | 706 // anything. |
| 706 class MockCTVerifier : public CTVerifier { | 707 class MockCTVerifier : public CTVerifier { |
| 707 public: | 708 public: |
| 708 MOCK_METHOD5(Verify, | 709 MOCK_METHOD5(Verify, |
| 709 int(X509Certificate*, | 710 void(X509Certificate*, |
| 710 const std::string&, | 711 base::StringPiece, |
| 711 const std::string&, | 712 base::StringPiece, |
| 712 SignedCertificateTimestampAndStatusList*, | 713 SignedCertificateTimestampAndStatusList*, |
| 713 const NetLogWithSource&)); | 714 const NetLogWithSource&)); |
| 714 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); | 715 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); |
| 715 }; | 716 }; |
| 716 | 717 |
| 717 // A mock CTPolicyEnforcer that returns a custom verification result. | 718 // A mock CTPolicyEnforcer that returns a custom verification result. |
| 718 class MockCTPolicyEnforcer : public CTPolicyEnforcer { | 719 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
| 719 public: | 720 public: |
| 720 MOCK_METHOD3(DoesConformToCertPolicy, | 721 MOCK_METHOD3(DoesConformToCertPolicy, |
| 721 ct::CertPolicyCompliance(X509Certificate* cert, | 722 ct::CertPolicyCompliance(X509Certificate* cert, |
| 722 const ct::SCTList&, | 723 const ct::SCTList&, |
| 723 const NetLogWithSource&)); | 724 const NetLogWithSource&)); |
| 724 MOCK_METHOD4(DoesConformToCTEVPolicy, | 725 MOCK_METHOD4(DoesConformToCTEVPolicy, |
| 725 ct::EVPolicyCompliance(X509Certificate* cert, | 726 ct::EVPolicyCompliance(X509Certificate* cert, |
| 726 const ct::EVCertsWhitelist*, | 727 const ct::EVCertsWhitelist*, |
| 727 const ct::SCTList&, | 728 const ct::SCTList&, |
| 728 const NetLogWithSource&)); | 729 const NetLogWithSource&)); |
| 729 }; | 730 }; |
| 730 | 731 |
| 731 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 732 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
| 732 public: | 733 public: |
| 733 MOCK_METHOD1(IsCTRequiredForHost, | 734 MOCK_METHOD1(IsCTRequiredForHost, |
| 734 CTRequirementLevel(const std::string& host)); | 735 CTRequirementLevel(const std::string& host)); |
| 735 }; | 736 }; |
| 736 | 737 |
| 737 class SSLClientSocketTest : public PlatformTest { | 738 class SSLClientSocketTest : public PlatformTest { |
| 738 public: | 739 public: |
| 739 SSLClientSocketTest() | 740 SSLClientSocketTest() |
| 740 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 741 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| 741 cert_verifier_(new MockCertVerifier), | 742 cert_verifier_(new MockCertVerifier), |
| 742 transport_security_state_(new TransportSecurityState), | 743 transport_security_state_(new TransportSecurityState), |
| 743 ct_verifier_(new MockCTVerifier), | 744 ct_verifier_(new DoNothingCTVerifier), |
| 744 ct_policy_enforcer_(new MockCTPolicyEnforcer) { | 745 ct_policy_enforcer_(new MockCTPolicyEnforcer) { |
| 745 cert_verifier_->set_default_result(OK); | 746 cert_verifier_->set_default_result(OK); |
| 746 context_.cert_verifier = cert_verifier_.get(); | 747 context_.cert_verifier = cert_verifier_.get(); |
| 747 context_.transport_security_state = transport_security_state_.get(); | 748 context_.transport_security_state = transport_security_state_.get(); |
| 748 context_.cert_transparency_verifier = ct_verifier_.get(); | 749 context_.cert_transparency_verifier = ct_verifier_.get(); |
| 749 context_.ct_policy_enforcer = ct_policy_enforcer_.get(); | 750 context_.ct_policy_enforcer = ct_policy_enforcer_.get(); |
| 750 | 751 |
| 751 EXPECT_CALL(*ct_verifier_, Verify(_, _, _, _, _)) | |
| 752 .WillRepeatedly(Return(OK)); | |
| 753 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) | 752 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
| 754 .WillRepeatedly( | 753 .WillRepeatedly( |
| 755 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | 754 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 756 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | 755 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) |
| 757 .WillRepeatedly( | 756 .WillRepeatedly( |
| 758 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | 757 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); |
| 759 } | 758 } |
| 760 | 759 |
| 761 protected: | 760 protected: |
| 762 // The address of the spawned test server, after calling StartTestServer(). | 761 // The address of the spawned test server, after calling StartTestServer(). |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 840 // Get the MockCertVerifier to verify it as an EV cert. | 839 // Get the MockCertVerifier to verify it as an EV cert. |
| 841 CertVerifyResult verify_result; | 840 CertVerifyResult verify_result; |
| 842 verify_result.cert_status = status; | 841 verify_result.cert_status = status; |
| 843 verify_result.verified_cert = server_cert; | 842 verify_result.verified_cert = server_cert; |
| 844 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); | 843 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); |
| 845 } | 844 } |
| 846 | 845 |
| 847 ClientSocketFactory* socket_factory_; | 846 ClientSocketFactory* socket_factory_; |
| 848 std::unique_ptr<MockCertVerifier> cert_verifier_; | 847 std::unique_ptr<MockCertVerifier> cert_verifier_; |
| 849 std::unique_ptr<TransportSecurityState> transport_security_state_; | 848 std::unique_ptr<TransportSecurityState> transport_security_state_; |
| 850 std::unique_ptr<MockCTVerifier> ct_verifier_; | 849 std::unique_ptr<DoNothingCTVerifier> ct_verifier_; |
| 851 std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_; | 850 std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_; |
| 852 SSLClientSocketContext context_; | 851 SSLClientSocketContext context_; |
| 853 std::unique_ptr<SSLClientSocket> sock_; | 852 std::unique_ptr<SSLClientSocket> sock_; |
| 854 TestNetLog log_; | 853 TestNetLog log_; |
| 855 | 854 |
| 856 private: | 855 private: |
| 857 std::unique_ptr<SpawnedTestServer> spawned_test_server_; | 856 std::unique_ptr<SpawnedTestServer> spawned_test_server_; |
| 858 TestCompletionCallback callback_; | 857 TestCompletionCallback callback_; |
| 859 AddressList addr_; | 858 AddressList addr_; |
| 860 }; | 859 }; |
| (...skipping 1435 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2296 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); | 2295 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); |
| 2297 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); | 2296 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); |
| 2298 ASSERT_TRUE(request_info.get()); | 2297 ASSERT_TRUE(request_info.get()); |
| 2299 ASSERT_EQ(2u, request_info->cert_key_types.size()); | 2298 ASSERT_EQ(2u, request_info->cert_key_types.size()); |
| 2300 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]); | 2299 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]); |
| 2301 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]); | 2300 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]); |
| 2302 } | 2301 } |
| 2303 | 2302 |
| 2304 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) { | 2303 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) { |
| 2305 // Encoding of SCT List containing 'test'. | 2304 // Encoding of SCT List containing 'test'. |
| 2306 std::string sct_ext("\x00\x06\x00\x04test", 8); | 2305 base::StringPiece sct_ext("\x00\x06\x00\x04test", 8); |
| 2307 | 2306 |
| 2308 SpawnedTestServer::SSLOptions ssl_options; | 2307 SpawnedTestServer::SSLOptions ssl_options; |
| 2309 ssl_options.signed_cert_timestamps_tls_ext = sct_ext; | 2308 ssl_options.signed_cert_timestamps_tls_ext = sct_ext.as_string(); |
| 2310 ASSERT_TRUE(StartTestServer(ssl_options)); | 2309 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2311 | 2310 |
| 2312 SSLConfig ssl_config; | 2311 SSLConfig ssl_config; |
| 2313 ssl_config.signed_cert_timestamps_enabled = true; | 2312 ssl_config.signed_cert_timestamps_enabled = true; |
| 2314 | 2313 |
| 2315 MockCTVerifier ct_verifier; | 2314 MockCTVerifier ct_verifier; |
| 2316 SetCTVerifier(&ct_verifier); | 2315 SetCTVerifier(&ct_verifier); |
| 2317 | 2316 |
| 2318 // Check that the SCT list is extracted as expected. | 2317 // Check that the SCT list is extracted from the TLS extension as expected, |
| 2319 EXPECT_CALL(ct_verifier, Verify(_, "", sct_ext, _, _)) | 2318 // while also simulating that it was an unparsable response. |
| 2320 .WillRepeatedly(Return(ERR_CT_NO_SCTS_VERIFIED_OK)); | 2319 SignedCertificateTimestampAndStatusList sct_list; |
| 2320 EXPECT_CALL(ct_verifier, Verify(_, _, sct_ext, _, _)) |
| 2321 .WillOnce(testing::SetArgPointee<3>(sct_list)); |
| 2321 | 2322 |
| 2322 int rv; | 2323 int rv; |
| 2323 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2324 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2324 EXPECT_THAT(rv, IsOk()); | 2325 EXPECT_THAT(rv, IsOk()); |
| 2325 | 2326 |
| 2326 EXPECT_TRUE(sock_->signed_cert_timestamps_received_); | 2327 EXPECT_TRUE(sock_->signed_cert_timestamps_received_); |
| 2327 } | 2328 } |
| 2328 | 2329 |
| 2329 // Test that when an EV certificate is received, but no CT verifier | |
| 2330 // or certificate policy enforcer are defined, then the EV status | |
| 2331 // of the certificate is maintained. | |
| 2332 TEST_F(SSLClientSocketTest, EVCertStatusMaintainedNoCTVerifier) { | |
| 2333 SpawnedTestServer::SSLOptions ssl_options; | |
| 2334 ASSERT_TRUE(StartTestServer(ssl_options)); | |
| 2335 | |
| 2336 SSLConfig ssl_config; | |
| 2337 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | |
| 2338 | |
| 2339 // No verifier to skip CT and policy checks. | |
| 2340 int rv; | |
| 2341 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 2342 EXPECT_THAT(rv, IsOk()); | |
| 2343 | |
| 2344 SSLInfo result; | |
| 2345 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | |
| 2346 | |
| 2347 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); | |
| 2348 } | |
| 2349 | |
| 2350 // Test that when a CT verifier and a CTPolicyEnforcer are defined, and | 2330 // Test that when a CT verifier and a CTPolicyEnforcer are defined, and |
| 2351 // the EV certificate used conforms to the CT/EV policy, its EV status | 2331 // the EV certificate used conforms to the CT/EV policy, its EV status |
| 2352 // is maintained. | 2332 // is maintained. |
| 2353 TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { | 2333 TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { |
| 2354 SpawnedTestServer::SSLOptions ssl_options; | 2334 SpawnedTestServer::SSLOptions ssl_options; |
| 2355 ASSERT_TRUE(StartTestServer(ssl_options)); | 2335 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2356 | 2336 |
| 2357 SSLConfig ssl_config; | 2337 SSLConfig ssl_config; |
| 2358 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2338 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
| 2359 | 2339 |
| 2360 // To activate the CT/EV policy enforcement non-null CTVerifier and | |
| 2361 // CTPolicyEnforcer are needed. | |
| 2362 MockCTVerifier ct_verifier; | |
| 2363 SetCTVerifier(&ct_verifier); | |
| 2364 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | |
| 2365 | |
| 2366 // Emulate compliance of the certificate to the policy. | 2340 // Emulate compliance of the certificate to the policy. |
| 2367 MockCTPolicyEnforcer policy_enforcer; | 2341 MockCTPolicyEnforcer policy_enforcer; |
| 2368 SetCTPolicyEnforcer(&policy_enforcer); | 2342 SetCTPolicyEnforcer(&policy_enforcer); |
| 2369 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) | 2343 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) |
| 2370 .WillRepeatedly( | 2344 .WillRepeatedly( |
| 2371 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | 2345 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 2372 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2346 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
| 2373 .WillRepeatedly( | 2347 .WillRepeatedly( |
| 2374 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | 2348 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); |
| 2375 | 2349 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 2386 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but | 2360 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but |
| 2387 // the EV certificate used does not conform to the CT/EV policy, its EV status | 2361 // the EV certificate used does not conform to the CT/EV policy, its EV status |
| 2388 // is removed. | 2362 // is removed. |
| 2389 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { | 2363 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { |
| 2390 SpawnedTestServer::SSLOptions ssl_options; | 2364 SpawnedTestServer::SSLOptions ssl_options; |
| 2391 ASSERT_TRUE(StartTestServer(ssl_options)); | 2365 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2392 | 2366 |
| 2393 SSLConfig ssl_config; | 2367 SSLConfig ssl_config; |
| 2394 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2368 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
| 2395 | 2369 |
| 2396 // To activate the CT/EV policy enforcement non-null CTVerifier and | |
| 2397 // CTPolicyEnforcer are needed. | |
| 2398 MockCTVerifier ct_verifier; | |
| 2399 SetCTVerifier(&ct_verifier); | |
| 2400 EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); | |
| 2401 | |
| 2402 // Emulate non-compliance of the certificate to the policy. | 2370 // Emulate non-compliance of the certificate to the policy. |
| 2403 MockCTPolicyEnforcer policy_enforcer; | 2371 MockCTPolicyEnforcer policy_enforcer; |
| 2404 SetCTPolicyEnforcer(&policy_enforcer); | 2372 SetCTPolicyEnforcer(&policy_enforcer); |
| 2405 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) | 2373 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) |
| 2406 .WillRepeatedly( | 2374 .WillRepeatedly( |
| 2407 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 2375 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2408 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | 2376 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
| 2409 .WillRepeatedly( | 2377 .WillRepeatedly( |
| 2410 Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); | 2378 Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); |
| 2411 | 2379 |
| 2412 int rv; | 2380 int rv; |
| 2413 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2381 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2414 EXPECT_THAT(rv, IsOk()); | 2382 EXPECT_THAT(rv, IsOk()); |
| 2415 | 2383 |
| 2416 SSLInfo result; | 2384 SSLInfo result; |
| 2417 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2385 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2418 | 2386 |
| 2419 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); | 2387 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); |
| 2420 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); | 2388 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
| 2421 } | 2389 } |
| 2422 | 2390 |
| 2423 namespace { | |
| 2424 | |
| 2425 bool IsValidOCSPResponse(const base::StringPiece& input) { | |
| 2426 der::Parser parser((der::Input(input))); | |
| 2427 der::Parser sequence; | |
| 2428 return parser.ReadSequence(&sequence) && !parser.HasMore() && | |
| 2429 sequence.SkipTag(der::kEnumerated) && | |
| 2430 sequence.SkipTag(der::kTagContextSpecific | der::kTagConstructed | | |
| 2431 0) && | |
| 2432 !sequence.HasMore(); | |
| 2433 } | |
| 2434 | |
| 2435 } // namespace | |
| 2436 | |
| 2437 // Test that enabling Signed Certificate Timestamps enables OCSP stapling. | 2391 // Test that enabling Signed Certificate Timestamps enables OCSP stapling. |
| 2438 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) { | 2392 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) { |
| 2439 SpawnedTestServer::SSLOptions ssl_options; | 2393 SpawnedTestServer::SSLOptions ssl_options; |
| 2440 ssl_options.staple_ocsp_response = true; | 2394 ssl_options.staple_ocsp_response = true; |
| 2441 // The test server currently only knows how to generate OCSP responses | 2395 // The test server currently only knows how to generate OCSP responses |
| 2442 // for a freshly minted certificate. | 2396 // for a freshly minted certificate. |
| 2443 ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO; | 2397 ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO; |
| 2444 | 2398 |
| 2445 ASSERT_TRUE(StartTestServer(ssl_options)); | 2399 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2446 | 2400 |
| 2447 SSLConfig ssl_config; | 2401 SSLConfig ssl_config; |
| 2448 // Enabling Signed Cert Timestamps ensures we request OCSP stapling for | 2402 // Enabling Signed Cert Timestamps ensures we request OCSP stapling for |
| 2449 // Certificate Transparency verification regardless of whether the platform | 2403 // Certificate Transparency verification regardless of whether the platform |
| 2450 // is able to process the OCSP status itself. | 2404 // is able to process the OCSP status itself. |
| 2451 ssl_config.signed_cert_timestamps_enabled = true; | 2405 ssl_config.signed_cert_timestamps_enabled = true; |
| 2452 | 2406 |
| 2453 MockCTVerifier ct_verifier; | |
| 2454 SetCTVerifier(&ct_verifier); | |
| 2455 | |
| 2456 // Check that the OCSP response is extracted and well-formed. It should be the | |
| 2457 // DER encoding of an OCSPResponse (RFC 2560), so check that it consists of a | |
| 2458 // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT. In | |
| 2459 // particular, it should not include the overall two-byte length prefix from | |
| 2460 // TLS. | |
| 2461 EXPECT_CALL(ct_verifier, | |
| 2462 Verify(_, Truly(IsValidOCSPResponse), "", _, _)).WillRepeatedly( | |
| 2463 Return(ERR_CT_NO_SCTS_VERIFIED_OK)); | |
| 2464 | |
| 2465 int rv; | 2407 int rv; |
| 2466 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2408 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2467 EXPECT_THAT(rv, IsOk()); | 2409 EXPECT_THAT(rv, IsOk()); |
| 2468 | 2410 |
| 2469 EXPECT_TRUE(sock_->stapled_ocsp_response_received_); | 2411 EXPECT_TRUE(sock_->stapled_ocsp_response_received_); |
| 2470 } | 2412 } |
| 2471 | 2413 |
| 2472 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) { | 2414 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) { |
| 2473 SpawnedTestServer::SSLOptions ssl_options; | 2415 SpawnedTestServer::SSLOptions ssl_options; |
| 2474 ssl_options.signed_cert_timestamps_tls_ext = "test"; | 2416 ssl_options.signed_cert_timestamps_tls_ext = "test"; |
| (...skipping 1257 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3732 if (dump_name.find("parent2/ssl_socket") != std::string::npos) { | 3674 if (dump_name.find("parent2/ssl_socket") != std::string::npos) { |
| 3733 did_dump[1] = true; | 3675 did_dump[1] = true; |
| 3734 // The read buffer is not released, so |buffer_size| can't be 0. | 3676 // The read buffer is not released, so |buffer_size| can't be 0. |
| 3735 ASSERT_NE("0", buffer_size); | 3677 ASSERT_NE("0", buffer_size); |
| 3736 } | 3678 } |
| 3737 } | 3679 } |
| 3738 EXPECT_THAT(did_dump, testing::ElementsAre(true, true)); | 3680 EXPECT_THAT(did_dump, testing::ElementsAre(true, true)); |
| 3739 } | 3681 } |
| 3740 | 3682 |
| 3741 } // namespace net | 3683 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2604513002:
Optimize CT & OCSP handling code (Closed)
