| Index: chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc
|
| diff --git a/chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc b/chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..18633674a4a89e905a79325b45bc7903a7003b82
|
| --- /dev/null
|
| +++ b/chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc
|
| @@ -0,0 +1,200 @@
|
| +// Copyright 2017 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "chrome/browser/ssl/ignore_errors_cert_verifier.h"
|
| +
|
| +#include "base/base64.h"
|
| +#include "base/files/file_path.h"
|
| +#include "base/memory/ptr_util.h"
|
| +#include "base/memory/ref_counted.h"
|
| +#include "base/strings/string_piece.h"
|
| +#include "base/strings/string_util.h"
|
| +#include "chrome/browser/io_thread.h"
|
| +#include "chrome/common/chrome_switches.h"
|
| +#include "crypto/sha2.h"
|
| +#include "net/base/net_errors.h"
|
| +#include "net/base/test_completion_callback.h"
|
| +#include "net/cert/asn1_util.h"
|
| +#include "net/cert/mock_cert_verifier.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/log/net_log_with_source.h"
|
| +#include "net/test/cert_test_util.h"
|
| +#include "net/test/gtest_util.h"
|
| +#include "net/test/test_data_directory.h"
|
| +#include "testing/gmock/include/gmock/gmock.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +using net::CertVerifier;
|
| +using net::MockCertVerifier;
|
| +using net::CompletionCallback;
|
| +using net::HashValue;
|
| +using net::SHA256HashValue;
|
| +using net::SHA256HashValueLessThan;
|
| +using net::X509Certificate;
|
| +using net::TestCompletionCallback;
|
| +using net::CertVerifyResult;
|
| +using net::NetLogWithSource;
|
| +
|
| +using net::ERR_CERT_INVALID;
|
| +using net::ERR_IO_PENDING;
|
| +using net::OK;
|
| +
|
| +using net::test::IsError;
|
| +using net::test::IsOk;
|
| +
|
| +static std::vector<std::string> MakeWhitelist() {
|
| + base::FilePath certs_dir = net::GetTestCertsDirectory();
|
| + net::CertificateList certs = net::CreateCertificateListFromFile(
|
| + certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
|
| + std::string cert_der, hash_base64;
|
| + base::StringPiece cert_spki;
|
| + SHA256HashValue hash;
|
| + X509Certificate::GetDEREncoded(certs[1]->os_cert_handle(), &cert_der);
|
| + net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki);
|
| +
|
| + crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));
|
| + base::Base64Encode(base::StringPiece(reinterpret_cast<const char*>(hash.data),
|
| + sizeof(hash.data)),
|
| + &hash_base64);
|
| + return {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "foobar", hash_base64,
|
| + "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="};
|
| +}
|
| +
|
| +class IgnoreErrorsCertVerifierTest : public ::testing::Test {
|
| + public:
|
| + IgnoreErrorsCertVerifierTest()
|
| + : mock_verifier_(new MockCertVerifier()),
|
| + verifier_(base::WrapUnique(mock_verifier_),
|
| + IgnoreErrorsCertVerifier::SPKIHashSet()) {}
|
| + ~IgnoreErrorsCertVerifierTest() override {}
|
| +
|
| + protected:
|
| + void SetUp() override {
|
| + verifier_.set_whitelist(
|
| + IgnoreErrorsCertVerifier::MakeWhitelist(MakeWhitelist()));
|
| + };
|
| +
|
| + // The wrapped CertVerifier. Defaults to returning ERR_CERT_INVALID. Owned by
|
| + // |verifier_|.
|
| + MockCertVerifier* mock_verifier_;
|
| + IgnoreErrorsCertVerifier verifier_;
|
| +};
|
| +
|
| +static void GetNonWhitelistedTestCert(scoped_refptr<X509Certificate>* out) {
|
| + base::FilePath certs_dir = net::GetTestCertsDirectory();
|
| + scoped_refptr<X509Certificate> test_cert(
|
| + net::ImportCertFromFile(certs_dir, "ok_cert.pem"));
|
| + ASSERT_TRUE(test_cert);
|
| + out->swap(test_cert);
|
| +}
|
| +
|
| +static CertVerifier::RequestParams MakeRequestParams(
|
| + const scoped_refptr<X509Certificate>& cert) {
|
| + return CertVerifier::RequestParams(cert, "example.com", 0, "",
|
| + net::CertificateList());
|
| +}
|
| +
|
| +static void GetWhitelistedTestCert(scoped_refptr<X509Certificate>* out) {
|
| + base::FilePath certs_dir = net::GetTestCertsDirectory();
|
| + net::CertificateList certs = net::CreateCertificateListFromFile(
|
| + certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(3U, certs.size());
|
| + X509Certificate::OSCertHandles intermediates;
|
| + intermediates.push_back(certs[1]->os_cert_handle());
|
| + intermediates.push_back(certs[2]->os_cert_handle());
|
| + scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
|
| + certs[0]->os_cert_handle(), intermediates);
|
| + ASSERT_TRUE(cert_chain);
|
| + ASSERT_EQ(2U, cert_chain->GetIntermediateCertificates().size());
|
| + out->swap(cert_chain);
|
| +}
|
| +
|
| +TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) {
|
| + mock_verifier_->set_default_result(OK);
|
| +
|
| + scoped_refptr<X509Certificate> test_cert;
|
| + ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert));
|
| + CertVerifyResult verify_result;
|
| + TestCompletionCallback callback;
|
| + std::unique_ptr<CertVerifier::Request> request;
|
| +
|
| + EXPECT_THAT(callback.GetResult(verifier_.Verify(
|
| + MakeRequestParams(test_cert), nullptr, &verify_result,
|
| + callback.callback(), &request, NetLogWithSource())),
|
| + IsOk());
|
| +}
|
| +
|
| +TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) {
|
| + scoped_refptr<X509Certificate> test_cert;
|
| + ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert));
|
| + CertVerifyResult verify_result;
|
| + TestCompletionCallback callback;
|
| + std::unique_ptr<CertVerifier::Request> request;
|
| +
|
| + EXPECT_THAT(callback.GetResult(verifier_.Verify(
|
| + MakeRequestParams(test_cert), nullptr, &verify_result,
|
| + callback.callback(), &request, NetLogWithSource())),
|
| + IsError(ERR_CERT_INVALID));
|
| +}
|
| +
|
| +TEST_F(IgnoreErrorsCertVerifierTest, TestMatch) {
|
| + scoped_refptr<X509Certificate> test_cert;
|
| + ASSERT_NO_FATAL_FAILURE(GetWhitelistedTestCert(&test_cert));
|
| + CertVerifyResult verify_result;
|
| + TestCompletionCallback callback;
|
| + std::unique_ptr<CertVerifier::Request> request;
|
| +
|
| + EXPECT_THAT(callback.GetResult(verifier_.Verify(
|
| + MakeRequestParams(test_cert), nullptr, &verify_result,
|
| + callback.callback(), &request, NetLogWithSource())),
|
| + IsOk());
|
| +}
|
| +
|
| +class IgnoreCertificateErrorsSPKIListFlagTest
|
| + : public ::testing::TestWithParam<bool> {
|
| + public:
|
| + IgnoreCertificateErrorsSPKIListFlagTest() {
|
| + base::CommandLine command_line(base::CommandLine::NO_PROGRAM);
|
| + if (GetParam()) {
|
| + command_line.AppendSwitchASCII(switches::kUserDataDir, "/foo/bar/baz");
|
| + }
|
| + command_line.AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
|
| + base::JoinString(MakeWhitelist(), ","));
|
| +
|
| + auto mock_verifier = base::MakeUnique<MockCertVerifier>();
|
| + mock_verifier->set_default_result(ERR_CERT_INVALID);
|
| + verifier_ = IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
|
| + command_line, std::move(mock_verifier));
|
| + }
|
| + ~IgnoreCertificateErrorsSPKIListFlagTest() override {}
|
| +
|
| + protected:
|
| + std::unique_ptr<CertVerifier> verifier_;
|
| +};
|
| +
|
| +// Only if both --user-data-dir and --ignore-certificate-errors-from-spki-list
|
| +// are present, certificate verification is bypassed.
|
| +TEST_P(IgnoreCertificateErrorsSPKIListFlagTest, TestUserDataDirSwitchRequired) {
|
| + scoped_refptr<X509Certificate> test_cert;
|
| + ASSERT_NO_FATAL_FAILURE(GetWhitelistedTestCert(&test_cert));
|
| + CertVerifyResult verify_result;
|
| + TestCompletionCallback callback;
|
| + std::unique_ptr<CertVerifier::Request> request;
|
| +
|
| + if (GetParam()) {
|
| + EXPECT_THAT(callback.GetResult(verifier_->Verify(
|
| + MakeRequestParams(test_cert), nullptr, &verify_result,
|
| + callback.callback(), &request, NetLogWithSource())),
|
| + IsOk());
|
| + } else {
|
| + EXPECT_THAT(callback.GetResult(verifier_->Verify(
|
| + MakeRequestParams(test_cert), nullptr, &verify_result,
|
| + callback.callback(), &request, NetLogWithSource())),
|
| + IsError(ERR_CERT_INVALID));
|
| + }
|
| +}
|
| +
|
| +INSTANTIATE_TEST_CASE_P(WithUserDataDirSwitchPresent,
|
| + IgnoreCertificateErrorsSPKIListFlagTest,
|
| + ::testing::Bool());
|
|
|
Chromium Code Reviews
Issue 2753123002:
Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
