Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state_unittest.cc

Issue 2850033002: Check Expect-CT at connection setup (Closed)
Patch Set: mattm comments Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/http/transport_security_state.cc ('K') | « net/http/transport_security_state.cc ('k') | net/quic/chromium/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 const char* const kBadPath[] = { 86 const char* const kBadPath[] = {
87 "sha1/111111111111111111111111111=", 87 "sha1/111111111111111111111111111=",
88 "sha1/222222222222222222222222222=", 88 "sha1/222222222222222222222222222=",
89 "sha1/333333333333333333333333333=", 89 "sha1/333333333333333333333333333=",
90 "sha256/1111111111111111111111111111111111111111111=", 90 "sha256/1111111111111111111111111111111111111111111=",
91 "sha256/2222222222222222222222222222222222222222222=", 91 "sha256/2222222222222222222222222222222222222222222=",
92 "sha256/3333333333333333333333333333333333333333333=", 92 "sha256/3333333333333333333333333333333333333333333=",
93 nullptr, 93 nullptr,
94 }; 94 };
95 95
96 // Constructs a SignedCertificateTimestampAndStatus with the given information
97 // and appends it to |sct_list|.
98 void MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::Origin origin,
99 const std::string& log_id,
100 const std::string& extensions,
101 const std::string& signature_data,
102 const base::Time& timestamp,
103 ct::SCTVerifyStatus status,
104 SignedCertificateTimestampAndStatusList* sct_list) {
105 scoped_refptr<net::ct::SignedCertificateTimestamp> sct(
106 new net::ct::SignedCertificateTimestamp());
107 sct->version = net::ct::SignedCertificateTimestamp::V1;
108 sct->log_id = log_id;
109 sct->extensions = extensions;
110 sct->timestamp = timestamp;
111 sct->signature.signature_data = signature_data;
112 sct->origin = origin;
113 sct_list->push_back(net::SignedCertificateTimestampAndStatus(sct, status));
114 }
115
96 // A mock ReportSenderInterface that just remembers the latest report 116 // A mock ReportSenderInterface that just remembers the latest report
97 // URI and report to be sent. 117 // URI and report to be sent.
98 class MockCertificateReportSender 118 class MockCertificateReportSender
99 : public TransportSecurityState::ReportSenderInterface { 119 : public TransportSecurityState::ReportSenderInterface {
100 public: 120 public:
101 MockCertificateReportSender() {} 121 MockCertificateReportSender() {}
102 ~MockCertificateReportSender() override {} 122 ~MockCertificateReportSender() override {}
103 123
104 void Send(const GURL& report_uri, 124 void Send(const GURL& report_uri,
105 base::StringPiece content_type, 125 base::StringPiece content_type,
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
154 174
155 // A mock ExpectCTReporter that remembers the latest violation that was 175 // A mock ExpectCTReporter that remembers the latest violation that was
156 // reported and the number of violations reported. 176 // reported and the number of violations reported.
157 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
158 public: 178 public:
159 MockExpectCTReporter() : num_failures_(0) {} 179 MockExpectCTReporter() : num_failures_(0) {}
160 ~MockExpectCTReporter() override {} 180 ~MockExpectCTReporter() override {}
161 181
162 void OnExpectCTFailed(const HostPortPair& host_port_pair, 182 void OnExpectCTFailed(const HostPortPair& host_port_pair,
163 const GURL& report_uri, 183 const GURL& report_uri,
164 const net::SSLInfo& ssl_info) override { 184 const X509Certificate* validated_certificate_chain,
185 const X509Certificate* served_certificate_chain,
186 const SignedCertificateTimestampAndStatusList&
187 signed_certificate_timestamps) override {
165 num_failures_++; 188 num_failures_++;
166 host_port_pair_ = host_port_pair; 189 host_port_pair_ = host_port_pair;
167 report_uri_ = report_uri; 190 report_uri_ = report_uri;
168 ssl_info_ = ssl_info; 191 served_certificate_chain_ = served_certificate_chain;
192 validated_certificate_chain_ = validated_certificate_chain;
193 signed_certificate_timestamps_ = signed_certificate_timestamps;
169 } 194 }
170 195
171 const HostPortPair& host_port_pair() { return host_port_pair_; } 196 const HostPortPair& host_port_pair() { return host_port_pair_; }
172 const GURL& report_uri() { return report_uri_; } 197 const GURL& report_uri() { return report_uri_; }
173 const SSLInfo& ssl_info() { return ssl_info_; }
174 uint32_t num_failures() { return num_failures_; } 198 uint32_t num_failures() { return num_failures_; }
199 const X509Certificate* served_certificate_chain() {
200 return served_certificate_chain_;
201 }
202 const X509Certificate* validated_certificate_chain() {
203 return validated_certificate_chain_;
204 }
205 const SignedCertificateTimestampAndStatusList&
206 signed_certificate_timestamps() {
207 return signed_certificate_timestamps_;
208 }
175 209
176 private: 210 private:
177 HostPortPair host_port_pair_; 211 HostPortPair host_port_pair_;
178 GURL report_uri_; 212 GURL report_uri_;
179 SSLInfo ssl_info_;
180 uint32_t num_failures_; 213 uint32_t num_failures_;
214 const X509Certificate* served_certificate_chain_;
215 const X509Certificate* validated_certificate_chain_;
216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_;
181 }; 217 };
182 218
183 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
184 public: 220 public:
185 MOCK_METHOD1(IsCTRequiredForHost, 221 MOCK_METHOD1(IsCTRequiredForHost,
186 CTRequirementLevel(const std::string& hostname)); 222 CTRequirementLevel(const std::string& hostname));
187 }; 223 };
188 224
189 void CompareCertificateChainWithList( 225 void CompareCertificateChainWithList(
190 const scoped_refptr<X509Certificate>& cert_chain, 226 const scoped_refptr<X509Certificate>& cert_chain,
(...skipping 1828 matching lines...) Expand 10 before | Expand all | Expand 10 after
2019 2055
2020 // Tests that the Expect CT reporter is notified for noncompliant 2056 // Tests that the Expect CT reporter is notified for noncompliant
2021 // connections. 2057 // connections.
2022 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { 2058 TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
2023 HostPortPair host_port(kExpectCTStaticHostname, 443); 2059 HostPortPair host_port(kExpectCTStaticHostname, 443);
2024 SSLInfo ssl_info; 2060 SSLInfo ssl_info;
2025 ssl_info.ct_compliance_details_available = true; 2061 ssl_info.ct_compliance_details_available = true;
2026 ssl_info.ct_cert_policy_compliance = 2062 ssl_info.ct_cert_policy_compliance =
2027 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; 2063 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
2028 ssl_info.is_issued_by_known_root = true; 2064 ssl_info.is_issued_by_known_root = true;
2065 scoped_refptr<X509Certificate> cert1 =
2066 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
2067 scoped_refptr<X509Certificate> cert2 =
2068 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2069 ASSERT_TRUE(cert1);
2070 ASSERT_TRUE(cert2);
2071 ssl_info.unverified_cert = cert1;
2072 ssl_info.cert = cert2;
2073 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
2074 std::string(), std::string(), base::Time::Now(),
2075 ct::SCT_STATUS_INVALID_SIGNATURE,
2076 &ssl_info.signed_certificate_timestamps);
2029 2077
2030 TransportSecurityState state; 2078 TransportSecurityState state;
2031 TransportSecurityStateTest::EnableStaticExpectCT(&state); 2079 TransportSecurityStateTest::EnableStaticExpectCT(&state);
2032 MockExpectCTReporter reporter; 2080 MockExpectCTReporter reporter;
2033 state.SetExpectCTReporter(&reporter); 2081 state.SetExpectCTReporter(&reporter);
2034 state.ProcessExpectCTHeader("preload", host_port, ssl_info); 2082 state.ProcessExpectCTHeader("preload", host_port, ssl_info);
2035 EXPECT_EQ(1u, reporter.num_failures()); 2083 EXPECT_EQ(1u, reporter.num_failures());
2036 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available);
2037 EXPECT_EQ(ssl_info.ct_cert_policy_compliance,
2038 reporter.ssl_info().ct_cert_policy_compliance);
2039 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); 2084 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
2040 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); 2085 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
2041 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); 2086 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
2087 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain());
2088 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain());
2089 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(),
2090 reporter.signed_certificate_timestamps().size());
2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status,
2092 reporter.signed_certificate_timestamps()[0].status);
2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct,
2094 reporter.signed_certificate_timestamps()[0].sct);
2042 } 2095 }
2043 2096
2044 // Simple test for the HSTS preload process. The trie (generated from 2097 // Simple test for the HSTS preload process. The trie (generated from
2045 // transport_security_state_static_unittest1.json) contains 1 entry. Test that 2098 // transport_security_state_static_unittest1.json) contains 1 entry. Test that
2046 // the lookup methods can find the entry and correctly decode the different 2099 // the lookup methods can find the entry and correctly decode the different
2047 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). 2100 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple).
2048 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { 2101 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) {
2049 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); 2102 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource);
2050 2103
2051 TransportSecurityState state; 2104 TransportSecurityState state;
(...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after
2501 scoped_refptr<X509Certificate> cert = 2554 scoped_refptr<X509Certificate> cert =
2502 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); 2555 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2503 ASSERT_TRUE(cert); 2556 ASSERT_TRUE(cert);
2504 2557
2505 HashValueVector hashes; 2558 HashValueVector hashes;
2506 hashes.push_back(HashValue( 2559 hashes.push_back(HashValue(
2507 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); 2560 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())));
2508 2561
2509 { 2562 {
2510 TransportSecurityState state; 2563 TransportSecurityState state;
2511 bool original_status = 2564 bool original_status = state.CheckCTRequirements(
2512 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2565 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2566 cert.get(), SignedCertificateTimestampAndStatusList(),
2567 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2568 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2513 2569
2514 MockRequireCTDelegate always_require_delegate; 2570 MockRequireCTDelegate always_require_delegate;
2515 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) 2571 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_))
2516 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); 2572 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
2517 state.SetRequireCTDelegate(&always_require_delegate); 2573 state.SetRequireCTDelegate(&always_require_delegate);
2518 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2574 EXPECT_FALSE(state.CheckCTRequirements(
2575 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2576 cert.get(), SignedCertificateTimestampAndStatusList(),
2577 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2578 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2579 EXPECT_FALSE(state.CheckCTRequirements(
2580 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2581 cert.get(), SignedCertificateTimestampAndStatusList(),
2582 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2583 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
estark 2017/05/04 01:18:30 Now that the CertPolicyCompliance testing is in Tr
2584 EXPECT_TRUE(state.CheckCTRequirements(
2585 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2586 cert.get(), SignedCertificateTimestampAndStatusList(),
2587 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2588 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
2589 EXPECT_TRUE(state.CheckCTRequirements(
2590 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2591 cert.get(), SignedCertificateTimestampAndStatusList(),
2592 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2593 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
2519 2594
2520 state.SetRequireCTDelegate(nullptr); 2595 state.SetRequireCTDelegate(nullptr);
2521 EXPECT_EQ(original_status, 2596 EXPECT_EQ(
2522 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2597 original_status,
2598 state.CheckCTRequirements(
2599 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2600 cert.get(), SignedCertificateTimestampAndStatusList(),
2601 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2602 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2523 } 2603 }
2524 2604
2525 { 2605 {
2526 TransportSecurityState state; 2606 TransportSecurityState state;
2527 bool original_status = 2607 bool original_status = state.CheckCTRequirements(
2528 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2608 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2609 cert.get(), SignedCertificateTimestampAndStatusList(),
2610 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2611 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2529 2612
2530 MockRequireCTDelegate never_require_delegate; 2613 MockRequireCTDelegate never_require_delegate;
2531 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) 2614 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_))
2532 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); 2615 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));
2533 state.SetRequireCTDelegate(&never_require_delegate); 2616 state.SetRequireCTDelegate(&never_require_delegate);
2534 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2617 EXPECT_TRUE(state.CheckCTRequirements(
2618 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2619 cert.get(), SignedCertificateTimestampAndStatusList(),
2620 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2621 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2622 EXPECT_TRUE(state.CheckCTRequirements(
2623 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2624 cert.get(), SignedCertificateTimestampAndStatusList(),
2625 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2626 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
2535 2627
2536 state.SetRequireCTDelegate(nullptr); 2628 state.SetRequireCTDelegate(nullptr);
2537 EXPECT_EQ(original_status, 2629 EXPECT_EQ(
2538 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2630 original_status,
2631 state.CheckCTRequirements(
2632 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2633 cert.get(), SignedCertificateTimestampAndStatusList(),
2634 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2635 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2539 } 2636 }
2540 2637
2541 { 2638 {
2542 TransportSecurityState state; 2639 TransportSecurityState state;
2543 bool original_status = 2640 bool original_status = state.CheckCTRequirements(
2544 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2641 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2642 cert.get(), SignedCertificateTimestampAndStatusList(),
2643 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2644 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2545 2645
2546 MockRequireCTDelegate default_require_ct_delegate; 2646 MockRequireCTDelegate default_require_ct_delegate;
2547 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) 2647 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_))
2548 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); 2648 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT));
2549 state.SetRequireCTDelegate(&default_require_ct_delegate); 2649 state.SetRequireCTDelegate(&default_require_ct_delegate);
2550 EXPECT_EQ(original_status, 2650 EXPECT_EQ(
2551 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2651 original_status,
2652 state.CheckCTRequirements(
2653 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2654 cert.get(), SignedCertificateTimestampAndStatusList(),
2655 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2656 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2552 2657
2553 state.SetRequireCTDelegate(nullptr); 2658 state.SetRequireCTDelegate(nullptr);
2554 EXPECT_EQ(original_status, 2659 EXPECT_EQ(
2555 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2660 original_status,
2661 state.CheckCTRequirements(
2662 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2663 cert.get(), SignedCertificateTimestampAndStatusList(),
2664 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2665 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2556 } 2666 }
2557 } 2667 }
2558 2668
2559 // Tests that Certificate Transparency is required for Symantec-issued 2669 // Tests that Certificate Transparency is required for Symantec-issued
2560 // certificates, unless the certificate was issued prior to 1 June 2016 2670 // certificates, unless the certificate was issued prior to 1 June 2016
2561 // or the issuing CA is whitelisted as independently operated. 2671 // or the issuing CA is whitelisted as independently operated.
2562 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { 2672 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
2563 // Test certificates before and after the 1 June 2016 deadline. 2673 // Test certificates before and after the 1 June 2016 deadline.
2564 scoped_refptr<X509Certificate> before_cert = 2674 scoped_refptr<X509Certificate> before_cert =
2565 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); 2675 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem");
(...skipping 11 matching lines...) Expand all
2577 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, 2687 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48,
2578 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; 2688 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}};
2579 2689
2580 TransportSecurityState state; 2690 TransportSecurityState state;
2581 2691
2582 HashValueVector hashes; 2692 HashValueVector hashes;
2583 hashes.push_back(HashValue(symantec_hash_value)); 2693 hashes.push_back(HashValue(symantec_hash_value));
2584 2694
2585 // Certificates issued by Symantec prior to 1 June 2016 should not 2695 // Certificates issued by Symantec prior to 1 June 2016 should not
2586 // be required to be disclosed via CT. 2696 // be required to be disclosed via CT.
2587 EXPECT_FALSE( 2697 EXPECT_TRUE(state.CheckCTRequirements(
2588 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2698 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2699 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2700 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2701 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2589 2702
2590 // ... but certificates issued after 1 June 2016 are required to be... 2703 // ... but certificates issued after 1 June 2016 are required to be...
2591 EXPECT_TRUE( 2704 EXPECT_FALSE(state.CheckCTRequirements(
2592 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2705 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2706 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2707 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2708 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2709 EXPECT_FALSE(state.CheckCTRequirements(
2710 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2711 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2712 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2713 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
2714 EXPECT_TRUE(state.CheckCTRequirements(
2715 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2716 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2717 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2718 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
2719 EXPECT_TRUE(state.CheckCTRequirements(
2720 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2721 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2722 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2723 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
2593 2724
2594 // ... unless they were issued by an excluded intermediate. 2725 // ... unless they were issued by an excluded intermediate.
2595 hashes.push_back(HashValue(google_hash_value)); 2726 hashes.push_back(HashValue(google_hash_value));
2596 EXPECT_FALSE( 2727 EXPECT_TRUE(state.CheckCTRequirements(
2597 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2728 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2598 EXPECT_FALSE( 2729 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2599 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2730 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2731 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2732 EXPECT_TRUE(state.CheckCTRequirements(
2733 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2734 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2735 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2736 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2600 2737
2601 // And other certificates should remain unaffected. 2738 // And other certificates should remain unaffected.
2602 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; 2739 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}};
2603 HashValueVector unrelated_hashes; 2740 HashValueVector unrelated_hashes;
2604 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); 2741 unrelated_hashes.push_back(HashValue(unrelated_hash_value));
2605 2742
2606 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(), 2743 EXPECT_TRUE(state.CheckCTRequirements(
2607 unrelated_hashes)); 2744 HostPortPair("www.example.com", 443), true, unrelated_hashes,
2608 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(), 2745 before_cert.get(), before_cert.get(),
2609 unrelated_hashes)); 2746 SignedCertificateTimestampAndStatusList(),
2747 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2748 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2749 EXPECT_TRUE(state.CheckCTRequirements(
2750 HostPortPair("www.example.com", 443), true, unrelated_hashes,
2751 after_cert.get(), after_cert.get(),
2752 SignedCertificateTimestampAndStatusList(),
2753 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2754 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2610 2755
2611 // And the emergency field trial should disable the requirement, if 2756 // And the emergency field trial should disable the requirement, if
2612 // necessary. 2757 // necessary.
2613 hashes.clear(); 2758 hashes.clear();
2614 hashes.push_back(HashValue(symantec_hash_value)); 2759 hashes.push_back(HashValue(symantec_hash_value));
2615 base::FieldTrialList field_trial_list( 2760 base::FieldTrialList field_trial_list(
2616 base::MakeUnique<base::MockEntropyProvider>()); 2761 base::MakeUnique<base::MockEntropyProvider>());
2617 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", 2762 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
2618 "disabled"); 2763 "disabled");
2619 2764
2620 EXPECT_FALSE( 2765 EXPECT_TRUE(state.CheckCTRequirements(
2621 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2766 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2622 EXPECT_FALSE( 2767 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2623 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2768 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2769 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2770 EXPECT_TRUE(state.CheckCTRequirements(
2771 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2772 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2773 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2774 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2624 } 2775 }
2625 2776
2626 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). 2777 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData().
2627 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { 2778 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) {
2628 base::test::ScopedFeatureList feature_list; 2779 base::test::ScopedFeatureList feature_list;
2629 feature_list.InitAndEnableFeature( 2780 feature_list.InitAndEnableFeature(
2630 TransportSecurityState::kDynamicExpectCTFeature); 2781 TransportSecurityState::kDynamicExpectCTFeature);
2631 const std::string host("example.test"); 2782 const std::string host("example.test");
2632 TransportSecurityState state; 2783 TransportSecurityState state;
2633 TransportSecurityState::ExpectCTState expect_ct_state; 2784 TransportSecurityState::ExpectCTState expect_ct_state;
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after
2777 MockExpectCTReporter reporter; 2928 MockExpectCTReporter reporter;
2778 state.SetExpectCTReporter(&reporter); 2929 state.SetExpectCTReporter(&reporter);
2779 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); 2930 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
2780 TransportSecurityState::ExpectCTState expect_ct_state; 2931 TransportSecurityState::ExpectCTState expect_ct_state;
2781 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); 2932 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state));
2782 EXPECT_EQ(0u, reporter.num_failures()); 2933 EXPECT_EQ(0u, reporter.num_failures());
2783 } 2934 }
2784 2935
2785 // Tests that Expect-CT reports are sent when an Expect-CT header is received 2936 // Tests that Expect-CT reports are sent when an Expect-CT header is received
2786 // over a non-compliant connection. 2937 // over a non-compliant connection.
2787 TEST_F(TransportSecurityStateTest, DynamicExpectCTNonCompliant) { 2938 TEST_F(TransportSecurityStateTest,
2939 DynamicExpectCTHeaderProcessingNonCompliant) {
2788 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; 2940 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\"";
2789 SSLInfo ssl; 2941 SSLInfo ssl;
2790 ssl.is_issued_by_known_root = true; 2942 ssl.is_issued_by_known_root = true;
2791 ssl.ct_compliance_details_available = true; 2943 ssl.ct_compliance_details_available = true;
2792 ssl.ct_cert_policy_compliance = 2944 ssl.ct_cert_policy_compliance =
2793 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; 2945 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
2946 scoped_refptr<X509Certificate> cert1 =
2947 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
2948 scoped_refptr<X509Certificate> cert2 =
2949 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2950 ASSERT_TRUE(cert1);
2951 ASSERT_TRUE(cert2);
2952 ssl.unverified_cert = cert1;
2953 ssl.cert = cert2;
2954 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
2955 std::string(), std::string(), base::Time::Now(),
2956 ct::SCT_STATUS_INVALID_SIGNATURE,
2957 &ssl.signed_certificate_timestamps);
2794 2958
2795 base::test::ScopedFeatureList feature_list; 2959 base::test::ScopedFeatureList feature_list;
2796 feature_list.InitAndEnableFeature( 2960 feature_list.InitAndEnableFeature(
2797 TransportSecurityState::kDynamicExpectCTFeature); 2961 TransportSecurityState::kDynamicExpectCTFeature);
2798 TransportSecurityState state; 2962 TransportSecurityState state;
2799 MockExpectCTReporter reporter; 2963 MockExpectCTReporter reporter;
2800 state.SetExpectCTReporter(&reporter); 2964 state.SetExpectCTReporter(&reporter);
2801 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); 2965 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
2802 TransportSecurityState::ExpectCTState expect_ct_state; 2966 TransportSecurityState::ExpectCTState expect_ct_state;
2803 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); 2967 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state));
2804 EXPECT_EQ(1u, reporter.num_failures()); 2968 EXPECT_EQ(1u, reporter.num_failures());
2805 EXPECT_EQ("example.test", reporter.host_port_pair().host()); 2969 EXPECT_EQ("example.test", reporter.host_port_pair().host());
2970 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain());
2971 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain());
2972 EXPECT_EQ(ssl.signed_certificate_timestamps.size(),
2973 reporter.signed_certificate_timestamps().size());
2974 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status,
2975 reporter.signed_certificate_timestamps()[0].status);
2976 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct,
2977 reporter.signed_certificate_timestamps()[0].sct);
2978 }
2979
2980 // Tests that CheckCTRequirements() returns false if a connection to a host
2981 // violates an Expect-CT header, and that it reports violations.
2982 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
2983 const base::Time current_time(base::Time::Now());
2984 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
2985 scoped_refptr<X509Certificate> cert1 =
2986 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
2987 scoped_refptr<X509Certificate> cert2 =
2988 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2989 ASSERT_TRUE(cert1);
2990 ASSERT_TRUE(cert2);
2991 SignedCertificateTimestampAndStatusList sct_list;
2992 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
2993 std::string(), std::string(), base::Time::Now(),
2994 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
2995
2996 base::test::ScopedFeatureList feature_list;
2997 feature_list.InitAndEnableFeature(
2998 TransportSecurityState::kDynamicExpectCTFeature);
2999
3000 TransportSecurityState state;
3001 MockExpectCTReporter reporter;
3002 state.SetExpectCTReporter(&reporter);
3003 state.AddExpectCT("example.test", expiry, true /* enforce */,
3004 GURL("https://example-report.test"));
3005 state.AddExpectCT("example-report-only.test", expiry, false /* enforce */,
3006 GURL("https://example-report.test"));
3007 state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */,
3008 GURL());
3009
3010 // Test that a connection to an unrelated host is not affected.
3011 EXPECT_TRUE(state.CheckCTRequirements(
3012 HostPortPair("example2.test", 443), true, HashValueVector(), cert1.get(),
3013 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3014 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3015 EXPECT_TRUE(state.CheckCTRequirements(
3016 HostPortPair("example2.test", 443), true, HashValueVector(), cert1.get(),
3017 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3018 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3019 EXPECT_EQ(0u, reporter.num_failures());
3020
3021 // A connection to an Expect-CT host should be closed and reported.
3022 EXPECT_FALSE(state.CheckCTRequirements(
3023 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(),
3024 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3025 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3026 EXPECT_EQ(1u, reporter.num_failures());
3027 EXPECT_EQ("example.test", reporter.host_port_pair().host());
3028 EXPECT_EQ(443, reporter.host_port_pair().port());
3029 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3030 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3031 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3032 EXPECT_EQ(sct_list[0].status,
3033 reporter.signed_certificate_timestamps()[0].status);
3034 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
3035
3036 // A compliant connection to an Expect-CT host should not be closed or
3037 // reported.
3038 EXPECT_TRUE(state.CheckCTRequirements(
3039 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(),
3040 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3041 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
3042 EXPECT_EQ(1u, reporter.num_failures());
3043 EXPECT_TRUE(state.CheckCTRequirements(
3044 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(),
3045 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3046 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
3047 EXPECT_EQ(1u, reporter.num_failures());
3048
3049 // A connection to a report-only host should be reported only.
3050 EXPECT_TRUE(state.CheckCTRequirements(
3051 HostPortPair("example-report-only.test", 443), true, HashValueVector(),
3052 cert1.get(), cert2.get(), sct_list,
3053 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3054 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3055 EXPECT_EQ(2u, reporter.num_failures());
3056 EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host());
3057 EXPECT_EQ(443, reporter.host_port_pair().port());
3058 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3059 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3060 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3061 EXPECT_EQ(sct_list[0].status,
3062 reporter.signed_certificate_timestamps()[0].status);
3063 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
3064
3065 // A connection to an enforce-only host should be closed but not reported.
3066 EXPECT_FALSE(state.CheckCTRequirements(
3067 HostPortPair("example-enforce-only.test", 443), true, HashValueVector(),
3068 cert1.get(), cert2.get(), sct_list,
3069 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3070 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3071 EXPECT_EQ(2u, reporter.num_failures());
3072
3073 // A connection with a private root should be neither enforced nor reported.
3074 EXPECT_TRUE(state.CheckCTRequirements(
3075 HostPortPair("example.test", 443), false, HashValueVector(), cert1.get(),
3076 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3077 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3078 EXPECT_EQ(2u, reporter.num_failures());
3079
3080 // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report.
3081 EXPECT_FALSE(state.CheckCTRequirements(
3082 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(),
3083 cert2.get(), sct_list, TransportSecurityState::DISABLE_EXPECT_CT_REPORTS,
3084 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3085 EXPECT_EQ(2u, reporter.num_failures());
3086 }
3087
3088 // Tests that for a host that requires CT by delegate and is also
3089 // Expect-CT-enabled, CheckCTRequirements() sends reports.
3090 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
3091 using ::testing::_;
3092 using ::testing::Return;
3093 using CTRequirementLevel =
3094 TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
3095
3096 const base::Time current_time(base::Time::Now());
3097 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
3098 scoped_refptr<X509Certificate> cert1 =
3099 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
3100 scoped_refptr<X509Certificate> cert2 =
3101 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
3102 ASSERT_TRUE(cert1);
3103 ASSERT_TRUE(cert2);
3104 SignedCertificateTimestampAndStatusList sct_list;
3105 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
3106 std::string(), std::string(), base::Time::Now(),
3107 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
3108
3109 base::test::ScopedFeatureList feature_list;
3110 feature_list.InitAndEnableFeature(
3111 TransportSecurityState::kDynamicExpectCTFeature);
3112
3113 TransportSecurityState state;
3114 MockExpectCTReporter reporter;
3115 state.SetExpectCTReporter(&reporter);
3116 state.AddExpectCT("example.test", expiry, false /* enforce */,
3117 GURL("https://example-report.test"));
3118
3119 // A connection to an Expect-CT host, which also requires CT by the delegate,
3120 // should be closed and reported.
3121 MockRequireCTDelegate always_require_delegate;
3122 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_))
3123 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
3124 state.SetRequireCTDelegate(&always_require_delegate);
3125 EXPECT_FALSE(state.CheckCTRequirements(
3126 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(),
3127 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3128 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3129 EXPECT_EQ(1u, reporter.num_failures());
3130 EXPECT_EQ("example.test", reporter.host_port_pair().host());
3131 EXPECT_EQ(443, reporter.host_port_pair().port());
3132 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3133 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3134 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3135 EXPECT_EQ(sct_list[0].status,
3136 reporter.signed_certificate_timestamps()[0].status);
3137 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
2806 } 3138 }
2807 3139
2808 } // namespace net 3140 } // namespace net
OLDNEW
« net/http/transport_security_state.cc ('K') | « net/http/transport_security_state.cc ('k') | net/quic/chromium/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698