chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc - Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram.

Side by Side Diff: chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)

Patch Set: Move IgnoreErrorsCertVerifier to chrome/browser/ssl. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« chrome/browser/ssl/ignore_errors_cert_verifier.cc ('K') | « chrome/browser/ssl/ignore_errors_cert_verifier.cc ('k') | chrome/browser/ssl/ssl_browser_tests.cc » ('j') | net/cert/mock_cert_verifier.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/ssl/ignore_errors_cert_verifier.h"

	6

	7 #include "base/files/file_path.h"

	8 #include "base/memory/ptr_util.h"

	9 #include "base/memory/ref_counted.h"

	10 #include "net/base/net_errors.h"

	11 #include "net/base/test_completion_callback.h"

	12 #include "net/cert/mock_cert_verifier.h"

	13 #include "net/cert/x509_certificate.h"

	14 #include "net/log/net_log_with_source.h"

	15 #include "net/test/cert_test_util.h"

	16 #include "net/test/gtest_util.h"

	17 #include "net/test/test_data_directory.h"

	18 #include "testing/gmock/include/gmock/gmock.h"

	19 #include "testing/gtest/include/gtest/gtest.h"

	20

	21 using net::CertVerifier;

	22 using net::MockCertVerifier;

	23 using net::CompletionCallback;

	24 using net::HashValue;

	25 using net::SHA256HashValue;

	26 using net::SHA256HashValueLessThan;

	27 using net::X509Certificate;

	28 using net::TestCompletionCallback;

	29 using net::CertVerifyResult;

	30 using net::NetLogWithSource;

	31

	32 using net::ERR_CERT_INVALID;

	33 using net::ERR_IO_PENDING;

	34 using net::OK;

	35

	36 using net::test::IsError;

	37 using net::test::IsOk;

	38

	39 static IgnoreErrorsCertVerifier::SPKIHashSet MakeWhitelist() {

	40 std::vector<std::string> fingerprints{

	41 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "foobar",

	42 // SPKI fingerprint of the intermediate from

	43 // x509_verify_results.chain.pem:

	44 "MtnqgdSwAIgEjse7SpxnmyKoo/RTiL9CDIWwFnz4nas=",
	Ryan Sleevi 2017/04/12 21:53:17 It'd be better if this was dynamically computed. x It'd be better if this was dynamically computed. x509_verify_results.chain.pem is an auto-generated file, so any time it's regenerated, this would have to be updated (if baked in). Having it dynamically computed doesn't seem to undermine the system under test, but I'm curious your thoughts. martinkr 2017/04/24 23:54:25 IMHO it seems a little silly, since I essentially Show quoted text On 2017/04/12 21:53:17, Ryan Sleevi wrote: > It'd be better if this was dynamically computed. x509_verify_results.chain.pem > is an auto-generated file, so any time it's regenerated, this would have to be > updated (if baked in). Having it dynamically computed doesn't seem to undermine > the system under test, but I'm curious your thoughts. IMHO it seems a little silly, since I essentially duplicate the SUT into the test to compute the expected value. But to be totally honest, I originally just printed the string and copied the test, so it's not too different I guess. ¯\_(ツ)_/¯ Done.
	45 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="};

	46 return IgnoreErrorsCertVerifier::MakeWhitelist(fingerprints);

	47 }

	48

	49 class IgnoreErrorsCertVerifierTest : public ::testing::Test {

	50 public:

	51 IgnoreErrorsCertVerifierTest()

	52 : mock_verifier_(new MockCertVerifier()),

	53 verifier_(base::WrapUnique(mock_verifier_), MakeWhitelist()) {}

	54 ~IgnoreErrorsCertVerifierTest() override {}

	55

	56 protected:

	57 // The wrapped CertVerifier. Defaults to returning ERR_CERT_INVALID. Owned by

	58 // verifier_.

	59 MockCertVerifier* mock_verifier_;

	60 IgnoreErrorsCertVerifier verifier_;

	61 };

	62

	63 static scoped_refptr<X509Certificate> GetNonWhitelistedTestCert() {

	64 base::FilePath certs_dir = net::GetTestCertsDirectory();

	65 scoped_refptr<X509Certificate> test_cert(

	66 net::ImportCertFromFile(certs_dir, "ok_cert.pem"));

	67 CHECK(test_cert);
	Ryan Sleevi 2017/04/12 21:53:17 This is a unit test, so we shouldn't CHECK() for a This is a unit test, so we shouldn't CHECK() for any of these (which brings down the whole framework), but using the unit test macros (ASSERT_ and friends). This does require using void returns (since ASSERT_ is just a quick return) along with https://github.com/google/googletest/blob/master/googletest/docs/AdvancedGuid... martinkr 2017/04/24 23:54:26 Done. Show quoted text On 2017/04/12 21:53:17, Ryan Sleevi wrote: > This is a unit test, so we shouldn't CHECK() for any of these (which brings down > the whole framework), but using the unit test macros (ASSERT_ and friends). This > does require using void returns (since ASSERT_ is just a quick return) along > with > https://github.com/google/googletest/blob/master/googletest/docs/AdvancedGuid... Done.
	68 return test_cert;

	69 }

	70

	71 static CertVerifier::RequestParams MakeRequestParams(

	72 const scoped_refptr<X509Certificate>& cert) {

	73 return CertVerifier::RequestParams(cert, "example.com", 0, "",

	74 net::CertificateList());

	75 }

	76

	77 static scoped_refptr<X509Certificate> GetWhitelistedTestCert() {

	78 base::FilePath certs_dir = net::GetTestCertsDirectory();

	79 net::CertificateList certs = net::CreateCertificateListFromFile(

	80 certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);

	81 CHECK_EQ(3U, certs.size());
	Ryan Sleevi 2017/04/12 21:53:17 ditto re: CHECK ditto re: CHECK martinkr 2017/04/24 23:54:26 Done. Show quoted text On 2017/04/12 21:53:17, Ryan Sleevi wrote: > ditto re: CHECK Done.
	82 X509Certificate::OSCertHandles intermediates;

	83 intermediates.push_back(certs[1]->os_cert_handle());

	84 intermediates.push_back(certs[2]->os_cert_handle());

	85 scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(

	86 certs[0]->os_cert_handle(), intermediates);

	87 CHECK(cert_chain);

	88 CHECK_EQ(2U, cert_chain->GetIntermediateCertificates().size());
	Ryan Sleevi 2017/04/12 21:53:17 ditto re: CHECK ditto re: CHECK martinkr 2017/04/24 23:54:26 Done. Show quoted text On 2017/04/12 21:53:17, Ryan Sleevi wrote: > ditto re: CHECK Done.
	89 return cert_chain;

	90 }

	91

	92 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) {

	93 mock_verifier_->set_default_result(OK);

	94

	95 scoped_refptr<X509Certificate> test_cert = GetNonWhitelistedTestCert();

	96 CertVerifyResult verify_result;

	97 TestCompletionCallback callback;

	98 std::unique_ptr<CertVerifier::Request> request;

	99

	100 EXPECT_THAT(callback.GetResult(verifier_.Verify(

	101 MakeRequestParams(test_cert), nullptr, &verify_result,

	102 callback.callback(), &request, NetLogWithSource())),

	103 IsOk());

	104 }

	105

	106 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) {

	107 scoped_refptr<X509Certificate> test_cert = GetNonWhitelistedTestCert();

	108 CertVerifyResult verify_result;

	109 TestCompletionCallback callback;

	110 std::unique_ptr<CertVerifier::Request> request;

	111

	112 EXPECT_THAT(callback.GetResult(verifier_.Verify(

	113 MakeRequestParams(test_cert), nullptr, &verify_result,

	114 callback.callback(), &request, NetLogWithSource())),

	115 IsError(ERR_CERT_INVALID));

	116 }

	117

	118 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertErrorCallback) {

	119 mock_verifier_->set_async(true);

	120

	121 scoped_refptr<X509Certificate> test_cert = GetNonWhitelistedTestCert();

	122 CertVerifyResult verify_result;

	123 TestCompletionCallback callback;

	124 std::unique_ptr<CertVerifier::Request> request;

	125

	126 EXPECT_THAT(

	127 verifier_.Verify(MakeRequestParams(test_cert), nullptr, &verify_result,

	128 callback.callback(), &request, NetLogWithSource()),

	129 IsError(ERR_IO_PENDING));

	130 EXPECT_THAT(callback.WaitForResult(), IsError(ERR_CERT_INVALID));

	131 }

	132

	133 TEST_F(IgnoreErrorsCertVerifierTest, TestMatch) {

	134 scoped_refptr<X509Certificate> test_cert = GetWhitelistedTestCert();

	135 CertVerifyResult verify_result;

	136 TestCompletionCallback callback;

	137 std::unique_ptr<CertVerifier::Request> request;

	138

	139 EXPECT_THAT(callback.GetResult(verifier_.Verify(

	140 MakeRequestParams(test_cert), nullptr, &verify_result,

	141 callback.callback(), &request, NetLogWithSource())),

	142 IsOk());

	143 }

	144

	145 TEST_F(IgnoreErrorsCertVerifierTest, TestMatchCallback) {

	146 mock_verifier_->set_async(true);

	147

	148 scoped_refptr<X509Certificate> test_cert = GetWhitelistedTestCert();

	149 CertVerifyResult verify_result;

	150 TestCompletionCallback callback;

	151 std::unique_ptr<CertVerifier::Request> request;

	152

	153 EXPECT_THAT(

	154 verifier_.Verify(MakeRequestParams(test_cert), nullptr, &verify_result,

	155 callback.callback(), &request, NetLogWithSource()),

	156 IsError(ERR_IO_PENDING));

	157 EXPECT_THAT(callback.WaitForResult(), IsOk());

	158 }

OLD	NEW