OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
86 const char* const kBadPath[] = { | 86 const char* const kBadPath[] = { |
87 "sha1/111111111111111111111111111=", | 87 "sha1/111111111111111111111111111=", |
88 "sha1/222222222222222222222222222=", | 88 "sha1/222222222222222222222222222=", |
89 "sha1/333333333333333333333333333=", | 89 "sha1/333333333333333333333333333=", |
90 "sha256/1111111111111111111111111111111111111111111=", | 90 "sha256/1111111111111111111111111111111111111111111=", |
91 "sha256/2222222222222222222222222222222222222222222=", | 91 "sha256/2222222222222222222222222222222222222222222=", |
92 "sha256/3333333333333333333333333333333333333333333=", | 92 "sha256/3333333333333333333333333333333333333333333=", |
93 nullptr, | 93 nullptr, |
94 }; | 94 }; |
95 | 95 |
| 96 // Constructs a SignedCertificateTimestampAndStatus with the given information |
| 97 // and appends it to |sct_list|. |
| 98 void MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::Origin origin, |
| 99 const std::string& log_id, |
| 100 const std::string& extensions, |
| 101 const std::string& signature_data, |
| 102 const base::Time& timestamp, |
| 103 ct::SCTVerifyStatus status, |
| 104 SignedCertificateTimestampAndStatusList* sct_list) { |
| 105 scoped_refptr<net::ct::SignedCertificateTimestamp> sct( |
| 106 new net::ct::SignedCertificateTimestamp()); |
| 107 sct->version = net::ct::SignedCertificateTimestamp::V1; |
| 108 sct->log_id = log_id; |
| 109 sct->extensions = extensions; |
| 110 sct->timestamp = timestamp; |
| 111 sct->signature.signature_data = signature_data; |
| 112 sct->origin = origin; |
| 113 sct_list->push_back(net::SignedCertificateTimestampAndStatus(sct, status)); |
| 114 } |
| 115 |
96 // A mock ReportSenderInterface that just remembers the latest report | 116 // A mock ReportSenderInterface that just remembers the latest report |
97 // URI and report to be sent. | 117 // URI and report to be sent. |
98 class MockCertificateReportSender | 118 class MockCertificateReportSender |
99 : public TransportSecurityState::ReportSenderInterface { | 119 : public TransportSecurityState::ReportSenderInterface { |
100 public: | 120 public: |
101 MockCertificateReportSender() {} | 121 MockCertificateReportSender() {} |
102 ~MockCertificateReportSender() override {} | 122 ~MockCertificateReportSender() override {} |
103 | 123 |
104 void Send(const GURL& report_uri, | 124 void Send(const GURL& report_uri, |
105 base::StringPiece content_type, | 125 base::StringPiece content_type, |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 | 174 |
155 // A mock ExpectCTReporter that remembers the latest violation that was | 175 // A mock ExpectCTReporter that remembers the latest violation that was |
156 // reported and the number of violations reported. | 176 // reported and the number of violations reported. |
157 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
158 public: | 178 public: |
159 MockExpectCTReporter() : num_failures_(0) {} | 179 MockExpectCTReporter() : num_failures_(0) {} |
160 ~MockExpectCTReporter() override {} | 180 ~MockExpectCTReporter() override {} |
161 | 181 |
162 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
163 const GURL& report_uri, | 183 const GURL& report_uri, |
164 const net::SSLInfo& ssl_info) override { | 184 const X509Certificate* served_certificate_chain, |
| 185 const X509Certificate* validated_certificate_chain, |
| 186 const SignedCertificateTimestampAndStatusList& |
| 187 signed_certificate_timestamps) override { |
165 num_failures_++; | 188 num_failures_++; |
166 host_port_pair_ = host_port_pair; | 189 host_port_pair_ = host_port_pair; |
167 report_uri_ = report_uri; | 190 report_uri_ = report_uri; |
168 ssl_info_ = ssl_info; | 191 served_certificate_chain_ = served_certificate_chain; |
| 192 validated_certificate_chain_ = validated_certificate_chain; |
| 193 signed_certificate_timestamps_ = signed_certificate_timestamps; |
169 } | 194 } |
170 | 195 |
171 const HostPortPair& host_port_pair() { return host_port_pair_; } | 196 const HostPortPair& host_port_pair() { return host_port_pair_; } |
172 const GURL& report_uri() { return report_uri_; } | 197 const GURL& report_uri() { return report_uri_; } |
173 const SSLInfo& ssl_info() { return ssl_info_; } | |
174 uint32_t num_failures() { return num_failures_; } | 198 uint32_t num_failures() { return num_failures_; } |
| 199 const X509Certificate* served_certificate_chain() { |
| 200 return served_certificate_chain_; |
| 201 } |
| 202 const X509Certificate* validated_certificate_chain() { |
| 203 return validated_certificate_chain_; |
| 204 } |
| 205 const SignedCertificateTimestampAndStatusList& |
| 206 signed_certificate_timestamps() { |
| 207 return signed_certificate_timestamps_; |
| 208 } |
175 | 209 |
176 private: | 210 private: |
177 HostPortPair host_port_pair_; | 211 HostPortPair host_port_pair_; |
178 GURL report_uri_; | 212 GURL report_uri_; |
179 SSLInfo ssl_info_; | |
180 uint32_t num_failures_; | 213 uint32_t num_failures_; |
| 214 const X509Certificate* served_certificate_chain_; |
| 215 const X509Certificate* validated_certificate_chain_; |
| 216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; |
181 }; | 217 }; |
182 | 218 |
183 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
184 public: | 220 public: |
185 MOCK_METHOD1(IsCTRequiredForHost, | 221 MOCK_METHOD1(IsCTRequiredForHost, |
186 CTRequirementLevel(const std::string& hostname)); | 222 CTRequirementLevel(const std::string& hostname)); |
187 }; | 223 }; |
188 | 224 |
189 void CompareCertificateChainWithList( | 225 void CompareCertificateChainWithList( |
190 const scoped_refptr<X509Certificate>& cert_chain, | 226 const scoped_refptr<X509Certificate>& cert_chain, |
(...skipping 1828 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2019 | 2055 |
2020 // Tests that the Expect CT reporter is notified for noncompliant | 2056 // Tests that the Expect CT reporter is notified for noncompliant |
2021 // connections. | 2057 // connections. |
2022 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { | 2058 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { |
2023 HostPortPair host_port(kExpectCTStaticHostname, 443); | 2059 HostPortPair host_port(kExpectCTStaticHostname, 443); |
2024 SSLInfo ssl_info; | 2060 SSLInfo ssl_info; |
2025 ssl_info.ct_compliance_details_available = true; | 2061 ssl_info.ct_compliance_details_available = true; |
2026 ssl_info.ct_cert_policy_compliance = | 2062 ssl_info.ct_cert_policy_compliance = |
2027 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; | 2063 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; |
2028 ssl_info.is_issued_by_known_root = true; | 2064 ssl_info.is_issued_by_known_root = true; |
| 2065 scoped_refptr<X509Certificate> cert1 = |
| 2066 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2067 scoped_refptr<X509Certificate> cert2 = |
| 2068 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2069 ASSERT_TRUE(cert1); |
| 2070 ASSERT_TRUE(cert2); |
| 2071 ssl_info.unverified_cert = cert1; |
| 2072 ssl_info.cert = cert2; |
| 2073 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2074 std::string(), std::string(), base::Time::Now(), |
| 2075 ct::SCT_STATUS_INVALID_SIGNATURE, |
| 2076 &ssl_info.signed_certificate_timestamps); |
2029 | 2077 |
2030 TransportSecurityState state; | 2078 TransportSecurityState state; |
2031 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2079 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
2032 MockExpectCTReporter reporter; | 2080 MockExpectCTReporter reporter; |
2033 state.SetExpectCTReporter(&reporter); | 2081 state.SetExpectCTReporter(&reporter); |
2034 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 2082 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
2035 EXPECT_EQ(1u, reporter.num_failures()); | 2083 EXPECT_EQ(1u, reporter.num_failures()); |
2036 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | |
2037 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | |
2038 reporter.ssl_info().ct_cert_policy_compliance); | |
2039 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 2084 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
2040 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 2085 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
2041 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 2086 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 2087 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 2088 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 2089 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), |
| 2090 reporter.signed_certificate_timestamps().size()); |
| 2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, |
| 2092 reporter.signed_certificate_timestamps()[0].status); |
| 2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, |
| 2094 reporter.signed_certificate_timestamps()[0].sct); |
2042 } | 2095 } |
2043 | 2096 |
2044 // Simple test for the HSTS preload process. The trie (generated from | 2097 // Simple test for the HSTS preload process. The trie (generated from |
2045 // transport_security_state_static_unittest1.json) contains 1 entry. Test that | 2098 // transport_security_state_static_unittest1.json) contains 1 entry. Test that |
2046 // the lookup methods can find the entry and correctly decode the different | 2099 // the lookup methods can find the entry and correctly decode the different |
2047 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). | 2100 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). |
2048 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { | 2101 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { |
2049 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); | 2102 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); |
2050 | 2103 |
2051 TransportSecurityState state; | 2104 TransportSecurityState state; |
(...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2501 scoped_refptr<X509Certificate> cert = | 2554 scoped_refptr<X509Certificate> cert = |
2502 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 2555 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
2503 ASSERT_TRUE(cert); | 2556 ASSERT_TRUE(cert); |
2504 | 2557 |
2505 HashValueVector hashes; | 2558 HashValueVector hashes; |
2506 hashes.push_back(HashValue( | 2559 hashes.push_back(HashValue( |
2507 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); | 2560 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); |
2508 | 2561 |
2509 { | 2562 { |
2510 TransportSecurityState state; | 2563 TransportSecurityState state; |
2511 bool original_status = | 2564 bool original_status = state.ShouldRequireCT( |
2512 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2565 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2566 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2567 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS); |
2513 | 2568 |
2514 MockRequireCTDelegate always_require_delegate; | 2569 MockRequireCTDelegate always_require_delegate; |
2515 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) | 2570 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
2516 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); | 2571 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
2517 state.SetRequireCTDelegate(&always_require_delegate); | 2572 state.SetRequireCTDelegate(&always_require_delegate); |
2518 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2573 EXPECT_TRUE(state.ShouldRequireCT( |
| 2574 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2575 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2576 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2519 | 2577 |
2520 state.SetRequireCTDelegate(nullptr); | 2578 state.SetRequireCTDelegate(nullptr); |
2521 EXPECT_EQ(original_status, | 2579 EXPECT_EQ( |
2522 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2580 original_status, |
| 2581 state.ShouldRequireCT( |
| 2582 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2583 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2584 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2523 } | 2585 } |
2524 | 2586 |
2525 { | 2587 { |
2526 TransportSecurityState state; | 2588 TransportSecurityState state; |
2527 bool original_status = | 2589 bool original_status = state.ShouldRequireCT( |
2528 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2590 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2591 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2592 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS); |
2529 | 2593 |
2530 MockRequireCTDelegate never_require_delegate; | 2594 MockRequireCTDelegate never_require_delegate; |
2531 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) | 2595 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) |
2532 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); | 2596 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); |
2533 state.SetRequireCTDelegate(&never_require_delegate); | 2597 state.SetRequireCTDelegate(&never_require_delegate); |
2534 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2598 EXPECT_FALSE(state.ShouldRequireCT( |
| 2599 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2600 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2601 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2535 | 2602 |
2536 state.SetRequireCTDelegate(nullptr); | 2603 state.SetRequireCTDelegate(nullptr); |
2537 EXPECT_EQ(original_status, | 2604 EXPECT_EQ( |
2538 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2605 original_status, |
| 2606 state.ShouldRequireCT( |
| 2607 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2608 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2609 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2539 } | 2610 } |
2540 | 2611 |
2541 { | 2612 { |
2542 TransportSecurityState state; | 2613 TransportSecurityState state; |
2543 bool original_status = | 2614 bool original_status = state.ShouldRequireCT( |
2544 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2615 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2616 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2617 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS); |
2545 | 2618 |
2546 MockRequireCTDelegate default_require_ct_delegate; | 2619 MockRequireCTDelegate default_require_ct_delegate; |
2547 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) | 2620 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) |
2548 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); | 2621 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); |
2549 state.SetRequireCTDelegate(&default_require_ct_delegate); | 2622 state.SetRequireCTDelegate(&default_require_ct_delegate); |
2550 EXPECT_EQ(original_status, | 2623 EXPECT_EQ( |
2551 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2624 original_status, |
| 2625 state.ShouldRequireCT( |
| 2626 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2627 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2628 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2552 | 2629 |
2553 state.SetRequireCTDelegate(nullptr); | 2630 state.SetRequireCTDelegate(nullptr); |
2554 EXPECT_EQ(original_status, | 2631 EXPECT_EQ( |
2555 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2632 original_status, |
| 2633 state.ShouldRequireCT( |
| 2634 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2635 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2636 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2556 } | 2637 } |
2557 } | 2638 } |
2558 | 2639 |
2559 // Tests that Certificate Transparency is required for Symantec-issued | 2640 // Tests that Certificate Transparency is required for Symantec-issued |
2560 // certificates, unless the certificate was issued prior to 1 June 2016 | 2641 // certificates, unless the certificate was issued prior to 1 June 2016 |
2561 // or the issuing CA is whitelisted as independently operated. | 2642 // or the issuing CA is whitelisted as independently operated. |
2562 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { | 2643 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { |
2563 // Test certificates before and after the 1 June 2016 deadline. | 2644 // Test certificates before and after the 1 June 2016 deadline. |
2564 scoped_refptr<X509Certificate> before_cert = | 2645 scoped_refptr<X509Certificate> before_cert = |
2565 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); | 2646 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); |
(...skipping 11 matching lines...) Expand all Loading... |
2577 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, | 2658 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, |
2578 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; | 2659 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; |
2579 | 2660 |
2580 TransportSecurityState state; | 2661 TransportSecurityState state; |
2581 | 2662 |
2582 HashValueVector hashes; | 2663 HashValueVector hashes; |
2583 hashes.push_back(HashValue(symantec_hash_value)); | 2664 hashes.push_back(HashValue(symantec_hash_value)); |
2584 | 2665 |
2585 // Certificates issued by Symantec prior to 1 June 2016 should not | 2666 // Certificates issued by Symantec prior to 1 June 2016 should not |
2586 // be required to be disclosed via CT. | 2667 // be required to be disclosed via CT. |
2587 EXPECT_FALSE( | 2668 EXPECT_FALSE(state.ShouldRequireCT( |
2588 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2669 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
| 2670 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2671 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2589 | 2672 |
2590 // ... but certificates issued after 1 June 2016 are required to be... | 2673 // ... but certificates issued after 1 June 2016 are required to be... |
2591 EXPECT_TRUE( | 2674 EXPECT_TRUE(state.ShouldRequireCT( |
2592 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2675 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2676 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2677 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2593 | 2678 |
2594 // ... unless they were issued by an excluded intermediate. | 2679 // ... unless they were issued by an excluded intermediate. |
2595 hashes.push_back(HashValue(google_hash_value)); | 2680 hashes.push_back(HashValue(google_hash_value)); |
2596 EXPECT_FALSE( | 2681 EXPECT_FALSE(state.ShouldRequireCT( |
2597 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2682 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
2598 EXPECT_FALSE( | 2683 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
2599 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2684 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2685 EXPECT_FALSE(state.ShouldRequireCT( |
| 2686 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2687 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2688 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2600 | 2689 |
2601 // And other certificates should remain unaffected. | 2690 // And other certificates should remain unaffected. |
2602 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; | 2691 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; |
2603 HashValueVector unrelated_hashes; | 2692 HashValueVector unrelated_hashes; |
2604 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); | 2693 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); |
2605 | 2694 |
2606 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(), | 2695 EXPECT_FALSE(state.ShouldRequireCT( |
2607 unrelated_hashes)); | 2696 HostPortPair("www.example.com", 443), true, unrelated_hashes, |
2608 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(), | 2697 before_cert.get(), before_cert.get(), |
2609 unrelated_hashes)); | 2698 SignedCertificateTimestampAndStatusList(), |
| 2699 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2700 EXPECT_FALSE(state.ShouldRequireCT( |
| 2701 HostPortPair("www.example.com", 443), true, unrelated_hashes, |
| 2702 after_cert.get(), after_cert.get(), |
| 2703 SignedCertificateTimestampAndStatusList(), |
| 2704 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2610 | 2705 |
2611 // And the emergency field trial should disable the requirement, if | 2706 // And the emergency field trial should disable the requirement, if |
2612 // necessary. | 2707 // necessary. |
2613 hashes.clear(); | 2708 hashes.clear(); |
2614 hashes.push_back(HashValue(symantec_hash_value)); | 2709 hashes.push_back(HashValue(symantec_hash_value)); |
2615 base::FieldTrialList field_trial_list( | 2710 base::FieldTrialList field_trial_list( |
2616 base::MakeUnique<base::MockEntropyProvider>()); | 2711 base::MakeUnique<base::MockEntropyProvider>()); |
2617 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2712 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
2618 "disabled"); | 2713 "disabled"); |
2619 | 2714 |
2620 EXPECT_FALSE( | 2715 EXPECT_FALSE(state.ShouldRequireCT( |
2621 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2716 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
2622 EXPECT_FALSE( | 2717 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
2623 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2718 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2719 EXPECT_FALSE(state.ShouldRequireCT( |
| 2720 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2721 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2722 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
2624 } | 2723 } |
2625 | 2724 |
2626 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). | 2725 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
2627 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { | 2726 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
2628 base::test::ScopedFeatureList feature_list; | 2727 base::test::ScopedFeatureList feature_list; |
2629 feature_list.InitAndEnableFeature( | 2728 feature_list.InitAndEnableFeature( |
2630 TransportSecurityState::kDynamicExpectCTFeature); | 2729 TransportSecurityState::kDynamicExpectCTFeature); |
2631 const std::string host("example.test"); | 2730 const std::string host("example.test"); |
2632 TransportSecurityState state; | 2731 TransportSecurityState state; |
2633 TransportSecurityState::ExpectCTState expect_ct_state; | 2732 TransportSecurityState::ExpectCTState expect_ct_state; |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2777 MockExpectCTReporter reporter; | 2876 MockExpectCTReporter reporter; |
2778 state.SetExpectCTReporter(&reporter); | 2877 state.SetExpectCTReporter(&reporter); |
2779 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 2878 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2780 TransportSecurityState::ExpectCTState expect_ct_state; | 2879 TransportSecurityState::ExpectCTState expect_ct_state; |
2781 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 2880 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2782 EXPECT_EQ(0u, reporter.num_failures()); | 2881 EXPECT_EQ(0u, reporter.num_failures()); |
2783 } | 2882 } |
2784 | 2883 |
2785 // Tests that Expect-CT reports are sent when an Expect-CT header is received | 2884 // Tests that Expect-CT reports are sent when an Expect-CT header is received |
2786 // over a non-compliant connection. | 2885 // over a non-compliant connection. |
2787 TEST_F(TransportSecurityStateTest, DynamicExpectCTNonCompliant) { | 2886 TEST_F(TransportSecurityStateTest, |
| 2887 DynamicExpectCTHeaderProcessingNonCompliant) { |
2788 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; | 2888 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; |
2789 SSLInfo ssl; | 2889 SSLInfo ssl; |
2790 ssl.is_issued_by_known_root = true; | 2890 ssl.is_issued_by_known_root = true; |
2791 ssl.ct_compliance_details_available = true; | 2891 ssl.ct_compliance_details_available = true; |
2792 ssl.ct_cert_policy_compliance = | 2892 ssl.ct_cert_policy_compliance = |
2793 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 2893 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
| 2894 scoped_refptr<X509Certificate> cert1 = |
| 2895 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2896 scoped_refptr<X509Certificate> cert2 = |
| 2897 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2898 ASSERT_TRUE(cert1); |
| 2899 ASSERT_TRUE(cert2); |
| 2900 ssl.unverified_cert = cert1; |
| 2901 ssl.cert = cert2; |
| 2902 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2903 std::string(), std::string(), base::Time::Now(), |
| 2904 ct::SCT_STATUS_INVALID_SIGNATURE, |
| 2905 &ssl.signed_certificate_timestamps); |
2794 | 2906 |
2795 base::test::ScopedFeatureList feature_list; | 2907 base::test::ScopedFeatureList feature_list; |
2796 feature_list.InitAndEnableFeature( | 2908 feature_list.InitAndEnableFeature( |
2797 TransportSecurityState::kDynamicExpectCTFeature); | 2909 TransportSecurityState::kDynamicExpectCTFeature); |
2798 TransportSecurityState state; | 2910 TransportSecurityState state; |
2799 MockExpectCTReporter reporter; | 2911 MockExpectCTReporter reporter; |
2800 state.SetExpectCTReporter(&reporter); | 2912 state.SetExpectCTReporter(&reporter); |
2801 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 2913 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2802 TransportSecurityState::ExpectCTState expect_ct_state; | 2914 TransportSecurityState::ExpectCTState expect_ct_state; |
2803 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 2915 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2804 EXPECT_EQ(1u, reporter.num_failures()); | 2916 EXPECT_EQ(1u, reporter.num_failures()); |
2805 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 2917 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 2918 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 2919 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 2920 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), |
| 2921 reporter.signed_certificate_timestamps().size()); |
| 2922 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, |
| 2923 reporter.signed_certificate_timestamps()[0].status); |
| 2924 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, |
| 2925 reporter.signed_certificate_timestamps()[0].sct); |
| 2926 } |
| 2927 |
| 2928 // Tests that ShouldRequireCT() returns true if a connection to a host violates |
| 2929 // an Expect-CT header, and that it reports violations. |
| 2930 TEST_F(TransportSecurityStateTest, ShouldRequireCTWithExpectCT) { |
| 2931 const base::Time current_time(base::Time::Now()); |
| 2932 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 2933 scoped_refptr<X509Certificate> cert1 = |
| 2934 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2935 scoped_refptr<X509Certificate> cert2 = |
| 2936 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2937 ASSERT_TRUE(cert1); |
| 2938 ASSERT_TRUE(cert2); |
| 2939 SignedCertificateTimestampAndStatusList sct_list; |
| 2940 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2941 std::string(), std::string(), base::Time::Now(), |
| 2942 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); |
| 2943 |
| 2944 base::test::ScopedFeatureList feature_list; |
| 2945 feature_list.InitAndEnableFeature( |
| 2946 TransportSecurityState::kDynamicExpectCTFeature); |
| 2947 |
| 2948 TransportSecurityState state; |
| 2949 MockExpectCTReporter reporter; |
| 2950 state.SetExpectCTReporter(&reporter); |
| 2951 state.AddExpectCT("example.test", expiry, true /* enforce */, |
| 2952 GURL("https://example-report.test")); |
| 2953 state.AddExpectCT("example-report-only.test", expiry, false /* enforce */, |
| 2954 GURL("https://example-report.test")); |
| 2955 state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */, |
| 2956 GURL()); |
| 2957 |
| 2958 // Test that a connection to an unrelated host is not affected. |
| 2959 EXPECT_FALSE(state.ShouldRequireCT( |
| 2960 HostPortPair("example2.test", 443), true, HashValueVector(), cert1.get(), |
| 2961 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2962 EXPECT_EQ(0u, reporter.num_failures()); |
| 2963 |
| 2964 // A connection to an Expect-CT host should be closed and reported. |
| 2965 EXPECT_TRUE(state.ShouldRequireCT( |
| 2966 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), |
| 2967 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2968 EXPECT_EQ(1u, reporter.num_failures()); |
| 2969 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 2970 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 2971 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 2972 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 2973 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 2974 EXPECT_EQ(sct_list[0].status, |
| 2975 reporter.signed_certificate_timestamps()[0].status); |
| 2976 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 2977 |
| 2978 // A connection to a report-only host should be reported only. |
| 2979 EXPECT_FALSE(state.ShouldRequireCT( |
| 2980 HostPortPair("example-report-only.test", 443), true, HashValueVector(), |
| 2981 cert1.get(), cert2.get(), sct_list, |
| 2982 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2983 EXPECT_EQ(2u, reporter.num_failures()); |
| 2984 EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host()); |
| 2985 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 2986 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 2987 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 2988 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 2989 EXPECT_EQ(sct_list[0].status, |
| 2990 reporter.signed_certificate_timestamps()[0].status); |
| 2991 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 2992 |
| 2993 // A connection to an enforce-only host should be closed but not reported. |
| 2994 EXPECT_TRUE(state.ShouldRequireCT( |
| 2995 HostPortPair("example-enforce-only.test", 443), true, HashValueVector(), |
| 2996 cert1.get(), cert2.get(), sct_list, |
| 2997 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 2998 EXPECT_EQ(2u, reporter.num_failures()); |
| 2999 |
| 3000 // A connection with a private root should be neither enforced nor reported. |
| 3001 EXPECT_FALSE(state.ShouldRequireCT( |
| 3002 HostPortPair("example.test", 443), false, HashValueVector(), cert1.get(), |
| 3003 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 3004 EXPECT_EQ(2u, reporter.num_failures()); |
| 3005 |
| 3006 // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report. |
| 3007 EXPECT_TRUE(state.ShouldRequireCT( |
| 3008 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), |
| 3009 cert2.get(), sct_list, |
| 3010 TransportSecurityState::DISABLE_EXPECT_CT_REPORTS)); |
| 3011 EXPECT_EQ(2u, reporter.num_failures()); |
| 3012 } |
| 3013 |
| 3014 // Tests that for a host that requires CT by delegate and is also |
| 3015 // Expect-CT-enabled, ShouldRequireCT() sends reports. |
| 3016 TEST_F(TransportSecurityStateTest, ShouldRequireCTWithExpectCTAndDelegate) { |
| 3017 using ::testing::_; |
| 3018 using ::testing::Return; |
| 3019 using CTRequirementLevel = |
| 3020 TransportSecurityState::RequireCTDelegate::CTRequirementLevel; |
| 3021 |
| 3022 const base::Time current_time(base::Time::Now()); |
| 3023 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 3024 scoped_refptr<X509Certificate> cert1 = |
| 3025 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 3026 scoped_refptr<X509Certificate> cert2 = |
| 3027 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 3028 ASSERT_TRUE(cert1); |
| 3029 ASSERT_TRUE(cert2); |
| 3030 SignedCertificateTimestampAndStatusList sct_list; |
| 3031 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 3032 std::string(), std::string(), base::Time::Now(), |
| 3033 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); |
| 3034 |
| 3035 base::test::ScopedFeatureList feature_list; |
| 3036 feature_list.InitAndEnableFeature( |
| 3037 TransportSecurityState::kDynamicExpectCTFeature); |
| 3038 |
| 3039 TransportSecurityState state; |
| 3040 MockExpectCTReporter reporter; |
| 3041 state.SetExpectCTReporter(&reporter); |
| 3042 state.AddExpectCT("example.test", expiry, false /* enforce */, |
| 3043 GURL("https://example-report.test")); |
| 3044 |
| 3045 // A connection to an Expect-CT host, which also requires CT by the delegate, |
| 3046 // should be closed and reported. |
| 3047 MockRequireCTDelegate always_require_delegate; |
| 3048 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
| 3049 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
| 3050 state.SetRequireCTDelegate(&always_require_delegate); |
| 3051 EXPECT_TRUE(state.ShouldRequireCT( |
| 3052 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), |
| 3053 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS)); |
| 3054 EXPECT_EQ(1u, reporter.num_failures()); |
| 3055 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3056 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3057 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3058 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3059 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3060 EXPECT_EQ(sct_list[0].status, |
| 3061 reporter.signed_certificate_timestamps()[0].status); |
| 3062 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
2806 } | 3063 } |
2807 | 3064 |
2808 } // namespace net | 3065 } // namespace net |
OLD | NEW |