| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/macros.h" | 9 #include "base/macros.h" |
| 10 #include "base/test/scoped_feature_list.h" |
| 10 #include "base/time/time.h" | 11 #include "base/time/time.h" |
| 11 #include "components/cast_certificate/cast_cert_validator.h" | 12 #include "components/cast_certificate/cast_cert_validator.h" |
| 12 #include "components/cast_certificate/cast_cert_validator_test_helpers.h" | 13 #include "components/cast_certificate/cast_cert_validator_test_helpers.h" |
| 13 #include "components/cast_certificate/cast_crl.h" | 14 #include "components/cast_certificate/cast_crl.h" |
| 14 #include "components/cast_certificate/proto/test_suite.pb.h" | 15 #include "components/cast_certificate/proto/test_suite.pb.h" |
| 15 #include "extensions/common/api/cast_channel/cast_channel.pb.h" | 16 #include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| 16 #include "net/cert/internal/trust_store_in_memory.h" | 17 #include "net/cert/internal/trust_store_in_memory.h" |
| 18 #include "net/cert/x509_certificate.h" |
| 17 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
| 18 | 20 |
| 19 namespace extensions { | 21 namespace extensions { |
| 20 namespace api { | 22 namespace api { |
| 21 namespace cast_channel { | 23 namespace cast_channel { |
| 22 namespace { | 24 namespace { |
| 23 | 25 |
| 24 class CastAuthUtilTest : public testing::Test { | 26 class CastAuthUtilTest : public testing::Test { |
| 25 public: | 27 public: |
| 26 CastAuthUtilTest() {} | 28 CastAuthUtilTest() {} |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 97 | 99 |
| 98 TEST_F(CastAuthUtilTest, VerifyBadPeerCert) { | 100 TEST_F(CastAuthUtilTest, VerifyBadPeerCert) { |
| 99 std::string signed_data; | 101 std::string signed_data; |
| 100 AuthResponse auth_response = CreateAuthResponse(&signed_data); | 102 AuthResponse auth_response = CreateAuthResponse(&signed_data); |
| 101 MangleString(&signed_data); | 103 MangleString(&signed_data); |
| 102 AuthResult result = VerifyCredentials(auth_response, signed_data); | 104 AuthResult result = VerifyCredentials(auth_response, signed_data); |
| 103 EXPECT_FALSE(result.success()); | 105 EXPECT_FALSE(result.success()); |
| 104 EXPECT_EQ(AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, result.error_type); | 106 EXPECT_EQ(AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, result.error_type); |
| 105 } | 107 } |
| 106 | 108 |
| 109 TEST_F(CastAuthUtilTest, VerifySenderNonceMatch) { |
| 110 base::test::ScopedFeatureList scoped_feature_list; |
| 111 scoped_feature_list.InitAndEnableFeature( |
| 112 base::Feature{"CastNonceEnforced", base::FEATURE_DISABLED_BY_DEFAULT}); |
| 113 AuthContext context = AuthContext::Create(); |
| 114 AuthResult result = context.VerifySenderNonce(context.nonce()); |
| 115 EXPECT_TRUE(result.success()); |
| 116 } |
| 117 |
| 118 TEST_F(CastAuthUtilTest, VerifySenderNonceMismatch) { |
| 119 base::test::ScopedFeatureList scoped_feature_list; |
| 120 scoped_feature_list.InitAndEnableFeature( |
| 121 base::Feature{"CastNonceEnforced", base::FEATURE_DISABLED_BY_DEFAULT}); |
| 122 AuthContext context = AuthContext::Create(); |
| 123 std::string received_nonce = "test2"; |
| 124 EXPECT_NE(received_nonce, context.nonce()); |
| 125 AuthResult result = context.VerifySenderNonce(received_nonce); |
| 126 EXPECT_FALSE(result.success()); |
| 127 EXPECT_EQ(AuthResult::ERROR_SENDER_NONCE_MISMATCH, result.error_type); |
| 128 } |
| 129 |
| 130 TEST_F(CastAuthUtilTest, VerifySenderNonceMissing) { |
| 131 base::test::ScopedFeatureList scoped_feature_list; |
| 132 scoped_feature_list.InitAndEnableFeature( |
| 133 base::Feature{"CastNonceEnforced", base::FEATURE_DISABLED_BY_DEFAULT}); |
| 134 AuthContext context = AuthContext::Create(); |
| 135 std::string received_nonce = ""; |
| 136 EXPECT_FALSE(context.nonce().empty()); |
| 137 AuthResult result = context.VerifySenderNonce(received_nonce); |
| 138 EXPECT_FALSE(result.success()); |
| 139 EXPECT_EQ(AuthResult::ERROR_SENDER_NONCE_MISMATCH, result.error_type); |
| 140 } |
| 141 |
| 142 TEST_F(CastAuthUtilTest, VerifyTLSCertificateSuccess) { |
| 143 auto tls_cert_der = cast_certificate::testing::ReadCertificateChainFromFile( |
| 144 "certificates/test_tls_cert.pem"); |
| 145 |
| 146 scoped_refptr<net::X509Certificate> tls_cert = |
| 147 net::X509Certificate::CreateFromBytes(tls_cert_der[0].data(), |
| 148 tls_cert_der[0].size()); |
| 149 std::string peer_cert_der; |
| 150 AuthResult result = |
| 151 VerifyTLSCertificate(*tls_cert, &peer_cert_der, tls_cert->valid_start()); |
| 152 EXPECT_TRUE(result.success()); |
| 153 } |
| 154 |
| 155 TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooEarly) { |
| 156 auto tls_cert_der = cast_certificate::testing::ReadCertificateChainFromFile( |
| 157 "certificates/test_tls_cert.pem"); |
| 158 |
| 159 scoped_refptr<net::X509Certificate> tls_cert = |
| 160 net::X509Certificate::CreateFromBytes(tls_cert_der[0].data(), |
| 161 tls_cert_der[0].size()); |
| 162 std::string peer_cert_der; |
| 163 AuthResult result = VerifyTLSCertificate( |
| 164 *tls_cert, &peer_cert_der, |
| 165 tls_cert->valid_start() - base::TimeDelta::FromSeconds(1)); |
| 166 EXPECT_FALSE(result.success()); |
| 167 EXPECT_EQ(AuthResult::ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE, |
| 168 result.error_type); |
| 169 } |
| 170 |
| 171 TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooLate) { |
| 172 auto tls_cert_der = cast_certificate::testing::ReadCertificateChainFromFile( |
| 173 "certificates/test_tls_cert.pem"); |
| 174 |
| 175 scoped_refptr<net::X509Certificate> tls_cert = |
| 176 net::X509Certificate::CreateFromBytes(tls_cert_der[0].data(), |
| 177 tls_cert_der[0].size()); |
| 178 std::string peer_cert_der; |
| 179 AuthResult result = VerifyTLSCertificate( |
| 180 *tls_cert, &peer_cert_der, |
| 181 tls_cert->valid_expiry() + base::TimeDelta::FromSeconds(2)); |
| 182 EXPECT_FALSE(result.success()); |
| 183 EXPECT_EQ(AuthResult::ERROR_TLS_CERT_EXPIRED, result.error_type); |
| 184 } |
| 185 |
| 107 // Indicates the expected result of test step's verification. | 186 // Indicates the expected result of test step's verification. |
| 108 enum TestStepResult { | 187 enum TestStepResult { |
| 109 RESULT_SUCCESS, | 188 RESULT_SUCCESS, |
| 110 RESULT_FAIL, | 189 RESULT_FAIL, |
| 111 }; | 190 }; |
| 112 | 191 |
| 113 // Verifies that the certificate chain provided is not revoked according to | 192 // Verifies that the certificate chain provided is not revoked according to |
| 114 // the provided Cast CRL at |verification_time|. | 193 // the provided Cast CRL at |verification_time|. |
| 115 // The provided CRL is verified at |verification_time|. | 194 // The provided CRL is verified at |verification_time|. |
| 116 // If |crl_required| is set, then a valid Cast CRL must be provided. | 195 // If |crl_required| is set, then a valid Cast CRL must be provided. |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 251 } | 330 } |
| 252 | 331 |
| 253 TEST_F(CastAuthUtilTest, CRLTestSuite) { | 332 TEST_F(CastAuthUtilTest, CRLTestSuite) { |
| 254 RunTestSuite("testsuite/testsuite1.pb"); | 333 RunTestSuite("testsuite/testsuite1.pb"); |
| 255 } | 334 } |
| 256 | 335 |
| 257 } // namespace | 336 } // namespace |
| 258 } // namespace cast_channel | 337 } // namespace cast_channel |
| 259 } // namespace api | 338 } // namespace api |
| 260 } // namespace extensions | 339 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2709523008:
[Cast Channel] Add support for nonce challenge to Cast channel authentication. (Closed)
