OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
86 const char* const kBadPath[] = { | 86 const char* const kBadPath[] = { |
87 "sha1/111111111111111111111111111=", | 87 "sha1/111111111111111111111111111=", |
88 "sha1/222222222222222222222222222=", | 88 "sha1/222222222222222222222222222=", |
89 "sha1/333333333333333333333333333=", | 89 "sha1/333333333333333333333333333=", |
90 "sha256/1111111111111111111111111111111111111111111=", | 90 "sha256/1111111111111111111111111111111111111111111=", |
91 "sha256/2222222222222222222222222222222222222222222=", | 91 "sha256/2222222222222222222222222222222222222222222=", |
92 "sha256/3333333333333333333333333333333333333333333=", | 92 "sha256/3333333333333333333333333333333333333333333=", |
93 nullptr, | 93 nullptr, |
94 }; | 94 }; |
95 | 95 |
96 // Constructs a SignedCertificateTimestampAndStatus with the given information | |
97 // and appends it to |sct_list|. | |
98 void MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::Origin origin, | |
99 const std::string& log_id, | |
100 const std::string& extensions, | |
101 const std::string& signature_data, | |
102 const base::Time& timestamp, | |
103 ct::SCTVerifyStatus status, | |
104 SignedCertificateTimestampAndStatusList* sct_list) { | |
105 scoped_refptr<net::ct::SignedCertificateTimestamp> sct( | |
106 new net::ct::SignedCertificateTimestamp()); | |
107 sct->version = net::ct::SignedCertificateTimestamp::V1; | |
108 sct->log_id = log_id; | |
109 sct->extensions = extensions; | |
110 sct->timestamp = timestamp; | |
111 sct->signature.signature_data = signature_data; | |
112 sct->origin = origin; | |
113 sct_list->push_back(net::SignedCertificateTimestampAndStatus(sct, status)); | |
114 } | |
115 | |
96 // A mock ReportSenderInterface that just remembers the latest report | 116 // A mock ReportSenderInterface that just remembers the latest report |
97 // URI and report to be sent. | 117 // URI and report to be sent. |
98 class MockCertificateReportSender | 118 class MockCertificateReportSender |
99 : public TransportSecurityState::ReportSenderInterface { | 119 : public TransportSecurityState::ReportSenderInterface { |
100 public: | 120 public: |
101 MockCertificateReportSender() {} | 121 MockCertificateReportSender() {} |
102 ~MockCertificateReportSender() override {} | 122 ~MockCertificateReportSender() override {} |
103 | 123 |
104 void Send(const GURL& report_uri, | 124 void Send(const GURL& report_uri, |
105 base::StringPiece content_type, | 125 base::StringPiece content_type, |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
154 | 174 |
155 // A mock ExpectCTReporter that remembers the latest violation that was | 175 // A mock ExpectCTReporter that remembers the latest violation that was |
156 // reported and the number of violations reported. | 176 // reported and the number of violations reported. |
157 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
158 public: | 178 public: |
159 MockExpectCTReporter() : num_failures_(0) {} | 179 MockExpectCTReporter() : num_failures_(0) {} |
160 ~MockExpectCTReporter() override {} | 180 ~MockExpectCTReporter() override {} |
161 | 181 |
162 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
163 const GURL& report_uri, | 183 const GURL& report_uri, |
164 const net::SSLInfo& ssl_info) override { | 184 const X509Certificate* validated_certificate_chain, |
185 const X509Certificate* served_certificate_chain, | |
186 const SignedCertificateTimestampAndStatusList& | |
187 signed_certificate_timestamps) override { | |
165 num_failures_++; | 188 num_failures_++; |
166 host_port_pair_ = host_port_pair; | 189 host_port_pair_ = host_port_pair; |
167 report_uri_ = report_uri; | 190 report_uri_ = report_uri; |
168 ssl_info_ = ssl_info; | 191 served_certificate_chain_ = served_certificate_chain; |
192 validated_certificate_chain_ = validated_certificate_chain; | |
193 signed_certificate_timestamps_ = signed_certificate_timestamps; | |
169 } | 194 } |
170 | 195 |
171 const HostPortPair& host_port_pair() { return host_port_pair_; } | 196 const HostPortPair& host_port_pair() { return host_port_pair_; } |
172 const GURL& report_uri() { return report_uri_; } | 197 const GURL& report_uri() { return report_uri_; } |
173 const SSLInfo& ssl_info() { return ssl_info_; } | |
174 uint32_t num_failures() { return num_failures_; } | 198 uint32_t num_failures() { return num_failures_; } |
199 const X509Certificate* served_certificate_chain() { | |
200 return served_certificate_chain_; | |
201 } | |
202 const X509Certificate* validated_certificate_chain() { | |
203 return validated_certificate_chain_; | |
204 } | |
205 const SignedCertificateTimestampAndStatusList& | |
206 signed_certificate_timestamps() { | |
207 return signed_certificate_timestamps_; | |
208 } | |
175 | 209 |
176 private: | 210 private: |
177 HostPortPair host_port_pair_; | 211 HostPortPair host_port_pair_; |
178 GURL report_uri_; | 212 GURL report_uri_; |
179 SSLInfo ssl_info_; | |
180 uint32_t num_failures_; | 213 uint32_t num_failures_; |
214 const X509Certificate* served_certificate_chain_; | |
215 const X509Certificate* validated_certificate_chain_; | |
216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; | |
181 }; | 217 }; |
182 | 218 |
183 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
184 public: | 220 public: |
185 MOCK_METHOD1(IsCTRequiredForHost, | 221 MOCK_METHOD1(IsCTRequiredForHost, |
186 CTRequirementLevel(const std::string& hostname)); | 222 CTRequirementLevel(const std::string& hostname)); |
187 }; | 223 }; |
188 | 224 |
189 void CompareCertificateChainWithList( | 225 void CompareCertificateChainWithList( |
190 const scoped_refptr<X509Certificate>& cert_chain, | 226 const scoped_refptr<X509Certificate>& cert_chain, |
(...skipping 1828 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2019 | 2055 |
2020 // Tests that the Expect CT reporter is notified for noncompliant | 2056 // Tests that the Expect CT reporter is notified for noncompliant |
2021 // connections. | 2057 // connections. |
2022 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { | 2058 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { |
2023 HostPortPair host_port(kExpectCTStaticHostname, 443); | 2059 HostPortPair host_port(kExpectCTStaticHostname, 443); |
2024 SSLInfo ssl_info; | 2060 SSLInfo ssl_info; |
2025 ssl_info.ct_compliance_details_available = true; | 2061 ssl_info.ct_compliance_details_available = true; |
2026 ssl_info.ct_cert_policy_compliance = | 2062 ssl_info.ct_cert_policy_compliance = |
2027 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; | 2063 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; |
2028 ssl_info.is_issued_by_known_root = true; | 2064 ssl_info.is_issued_by_known_root = true; |
2065 scoped_refptr<X509Certificate> cert1 = | |
2066 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
2067 scoped_refptr<X509Certificate> cert2 = | |
2068 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
2069 ASSERT_TRUE(cert1); | |
2070 ASSERT_TRUE(cert2); | |
2071 ssl_info.unverified_cert = cert1; | |
2072 ssl_info.cert = cert2; | |
2073 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", | |
2074 std::string(), std::string(), base::Time::Now(), | |
2075 ct::SCT_STATUS_INVALID_SIGNATURE, | |
2076 &ssl_info.signed_certificate_timestamps); | |
2029 | 2077 |
2030 TransportSecurityState state; | 2078 TransportSecurityState state; |
2031 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2079 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
2032 MockExpectCTReporter reporter; | 2080 MockExpectCTReporter reporter; |
2033 state.SetExpectCTReporter(&reporter); | 2081 state.SetExpectCTReporter(&reporter); |
2034 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 2082 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
2035 EXPECT_EQ(1u, reporter.num_failures()); | 2083 EXPECT_EQ(1u, reporter.num_failures()); |
2036 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | |
2037 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | |
2038 reporter.ssl_info().ct_cert_policy_compliance); | |
2039 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 2084 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
2040 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 2085 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
2041 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 2086 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
2087 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | |
2088 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | |
2089 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), | |
2090 reporter.signed_certificate_timestamps().size()); | |
2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, | |
2092 reporter.signed_certificate_timestamps()[0].status); | |
2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, | |
2094 reporter.signed_certificate_timestamps()[0].sct); | |
2042 } | 2095 } |
2043 | 2096 |
2044 // Simple test for the HSTS preload process. The trie (generated from | 2097 // Simple test for the HSTS preload process. The trie (generated from |
2045 // transport_security_state_static_unittest1.json) contains 1 entry. Test that | 2098 // transport_security_state_static_unittest1.json) contains 1 entry. Test that |
2046 // the lookup methods can find the entry and correctly decode the different | 2099 // the lookup methods can find the entry and correctly decode the different |
2047 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). | 2100 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). |
2048 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { | 2101 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { |
2049 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); | 2102 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); |
2050 | 2103 |
2051 TransportSecurityState state; | 2104 TransportSecurityState state; |
(...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2501 scoped_refptr<X509Certificate> cert = | 2554 scoped_refptr<X509Certificate> cert = |
2502 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 2555 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
2503 ASSERT_TRUE(cert); | 2556 ASSERT_TRUE(cert); |
2504 | 2557 |
2505 HashValueVector hashes; | 2558 HashValueVector hashes; |
2506 hashes.push_back(HashValue( | 2559 hashes.push_back(HashValue( |
2507 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); | 2560 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); |
2508 | 2561 |
2509 { | 2562 { |
2510 TransportSecurityState state; | 2563 TransportSecurityState state; |
2511 bool original_status = | 2564 bool original_status = state.CheckCTRequirements( |
2512 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2565 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
2566 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2567 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2568 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); | |
2513 | 2569 |
2514 MockRequireCTDelegate always_require_delegate; | 2570 MockRequireCTDelegate always_require_delegate; |
2515 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) | 2571 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
2516 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); | 2572 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
2517 state.SetRequireCTDelegate(&always_require_delegate); | 2573 state.SetRequireCTDelegate(&always_require_delegate); |
2518 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2574 EXPECT_FALSE(state.CheckCTRequirements( |
2575 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2576 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2577 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2578 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2579 EXPECT_FALSE(state.CheckCTRequirements( | |
2580 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2581 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2582 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2583 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
estark
2017/05/04 01:18:30
Now that the CertPolicyCompliance testing is in Tr
| |
2584 EXPECT_TRUE(state.CheckCTRequirements( | |
2585 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2586 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2587 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2588 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | |
2589 EXPECT_TRUE(state.CheckCTRequirements( | |
2590 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2591 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2592 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2593 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); | |
2519 | 2594 |
2520 state.SetRequireCTDelegate(nullptr); | 2595 state.SetRequireCTDelegate(nullptr); |
2521 EXPECT_EQ(original_status, | 2596 EXPECT_EQ( |
2522 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2597 original_status, |
2598 state.CheckCTRequirements( | |
2599 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2600 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2601 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2602 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2523 } | 2603 } |
2524 | 2604 |
2525 { | 2605 { |
2526 TransportSecurityState state; | 2606 TransportSecurityState state; |
2527 bool original_status = | 2607 bool original_status = state.CheckCTRequirements( |
2528 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2608 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
2609 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2610 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2611 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); | |
2529 | 2612 |
2530 MockRequireCTDelegate never_require_delegate; | 2613 MockRequireCTDelegate never_require_delegate; |
2531 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) | 2614 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) |
2532 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); | 2615 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); |
2533 state.SetRequireCTDelegate(&never_require_delegate); | 2616 state.SetRequireCTDelegate(&never_require_delegate); |
2534 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2617 EXPECT_TRUE(state.CheckCTRequirements( |
2618 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2619 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2620 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2621 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2622 EXPECT_TRUE(state.CheckCTRequirements( | |
2623 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2624 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2625 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2626 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
2535 | 2627 |
2536 state.SetRequireCTDelegate(nullptr); | 2628 state.SetRequireCTDelegate(nullptr); |
2537 EXPECT_EQ(original_status, | 2629 EXPECT_EQ( |
2538 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2630 original_status, |
2631 state.CheckCTRequirements( | |
2632 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2633 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2634 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2635 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2539 } | 2636 } |
2540 | 2637 |
2541 { | 2638 { |
2542 TransportSecurityState state; | 2639 TransportSecurityState state; |
2543 bool original_status = | 2640 bool original_status = state.CheckCTRequirements( |
2544 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2641 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
2642 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2643 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2644 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); | |
2545 | 2645 |
2546 MockRequireCTDelegate default_require_ct_delegate; | 2646 MockRequireCTDelegate default_require_ct_delegate; |
2547 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) | 2647 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) |
2548 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); | 2648 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); |
2549 state.SetRequireCTDelegate(&default_require_ct_delegate); | 2649 state.SetRequireCTDelegate(&default_require_ct_delegate); |
2550 EXPECT_EQ(original_status, | 2650 EXPECT_EQ( |
2551 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2651 original_status, |
2652 state.CheckCTRequirements( | |
2653 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2654 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2655 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2656 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2552 | 2657 |
2553 state.SetRequireCTDelegate(nullptr); | 2658 state.SetRequireCTDelegate(nullptr); |
2554 EXPECT_EQ(original_status, | 2659 EXPECT_EQ( |
2555 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2660 original_status, |
2661 state.CheckCTRequirements( | |
2662 HostPortPair("www.example.com", 443), true, hashes, cert.get(), | |
2663 cert.get(), SignedCertificateTimestampAndStatusList(), | |
2664 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2665 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2556 } | 2666 } |
2557 } | 2667 } |
2558 | 2668 |
2559 // Tests that Certificate Transparency is required for Symantec-issued | 2669 // Tests that Certificate Transparency is required for Symantec-issued |
2560 // certificates, unless the certificate was issued prior to 1 June 2016 | 2670 // certificates, unless the certificate was issued prior to 1 June 2016 |
2561 // or the issuing CA is whitelisted as independently operated. | 2671 // or the issuing CA is whitelisted as independently operated. |
2562 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { | 2672 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { |
2563 // Test certificates before and after the 1 June 2016 deadline. | 2673 // Test certificates before and after the 1 June 2016 deadline. |
2564 scoped_refptr<X509Certificate> before_cert = | 2674 scoped_refptr<X509Certificate> before_cert = |
2565 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); | 2675 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); |
(...skipping 11 matching lines...) Expand all Loading... | |
2577 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, | 2687 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, |
2578 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; | 2688 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; |
2579 | 2689 |
2580 TransportSecurityState state; | 2690 TransportSecurityState state; |
2581 | 2691 |
2582 HashValueVector hashes; | 2692 HashValueVector hashes; |
2583 hashes.push_back(HashValue(symantec_hash_value)); | 2693 hashes.push_back(HashValue(symantec_hash_value)); |
2584 | 2694 |
2585 // Certificates issued by Symantec prior to 1 June 2016 should not | 2695 // Certificates issued by Symantec prior to 1 June 2016 should not |
2586 // be required to be disclosed via CT. | 2696 // be required to be disclosed via CT. |
2587 EXPECT_FALSE( | 2697 EXPECT_TRUE(state.CheckCTRequirements( |
2588 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2698 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
2699 before_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2700 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2701 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2589 | 2702 |
2590 // ... but certificates issued after 1 June 2016 are required to be... | 2703 // ... but certificates issued after 1 June 2016 are required to be... |
2591 EXPECT_TRUE( | 2704 EXPECT_FALSE(state.CheckCTRequirements( |
2592 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2705 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
2706 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2707 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2708 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2709 EXPECT_FALSE(state.CheckCTRequirements( | |
2710 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), | |
2711 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2712 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2713 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
2714 EXPECT_TRUE(state.CheckCTRequirements( | |
2715 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), | |
2716 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2717 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2718 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); | |
2719 EXPECT_TRUE(state.CheckCTRequirements( | |
2720 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), | |
2721 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2722 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2723 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | |
2593 | 2724 |
2594 // ... unless they were issued by an excluded intermediate. | 2725 // ... unless they were issued by an excluded intermediate. |
2595 hashes.push_back(HashValue(google_hash_value)); | 2726 hashes.push_back(HashValue(google_hash_value)); |
2596 EXPECT_FALSE( | 2727 EXPECT_TRUE(state.CheckCTRequirements( |
2597 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2728 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
2598 EXPECT_FALSE( | 2729 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
2599 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2730 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
2731 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2732 EXPECT_TRUE(state.CheckCTRequirements( | |
2733 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), | |
2734 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2735 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2736 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2600 | 2737 |
2601 // And other certificates should remain unaffected. | 2738 // And other certificates should remain unaffected. |
2602 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; | 2739 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; |
2603 HashValueVector unrelated_hashes; | 2740 HashValueVector unrelated_hashes; |
2604 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); | 2741 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); |
2605 | 2742 |
2606 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(), | 2743 EXPECT_TRUE(state.CheckCTRequirements( |
2607 unrelated_hashes)); | 2744 HostPortPair("www.example.com", 443), true, unrelated_hashes, |
2608 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(), | 2745 before_cert.get(), before_cert.get(), |
2609 unrelated_hashes)); | 2746 SignedCertificateTimestampAndStatusList(), |
2747 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2748 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2749 EXPECT_TRUE(state.CheckCTRequirements( | |
2750 HostPortPair("www.example.com", 443), true, unrelated_hashes, | |
2751 after_cert.get(), after_cert.get(), | |
2752 SignedCertificateTimestampAndStatusList(), | |
2753 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2754 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2610 | 2755 |
2611 // And the emergency field trial should disable the requirement, if | 2756 // And the emergency field trial should disable the requirement, if |
2612 // necessary. | 2757 // necessary. |
2613 hashes.clear(); | 2758 hashes.clear(); |
2614 hashes.push_back(HashValue(symantec_hash_value)); | 2759 hashes.push_back(HashValue(symantec_hash_value)); |
2615 base::FieldTrialList field_trial_list( | 2760 base::FieldTrialList field_trial_list( |
2616 base::MakeUnique<base::MockEntropyProvider>()); | 2761 base::MakeUnique<base::MockEntropyProvider>()); |
2617 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2762 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
2618 "disabled"); | 2763 "disabled"); |
2619 | 2764 |
2620 EXPECT_FALSE( | 2765 EXPECT_TRUE(state.CheckCTRequirements( |
2621 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2766 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
2622 EXPECT_FALSE( | 2767 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
2623 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2768 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
2769 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2770 EXPECT_TRUE(state.CheckCTRequirements( | |
2771 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), | |
2772 after_cert.get(), SignedCertificateTimestampAndStatusList(), | |
2773 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
2774 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
2624 } | 2775 } |
2625 | 2776 |
2626 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). | 2777 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
2627 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { | 2778 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
2628 base::test::ScopedFeatureList feature_list; | 2779 base::test::ScopedFeatureList feature_list; |
2629 feature_list.InitAndEnableFeature( | 2780 feature_list.InitAndEnableFeature( |
2630 TransportSecurityState::kDynamicExpectCTFeature); | 2781 TransportSecurityState::kDynamicExpectCTFeature); |
2631 const std::string host("example.test"); | 2782 const std::string host("example.test"); |
2632 TransportSecurityState state; | 2783 TransportSecurityState state; |
2633 TransportSecurityState::ExpectCTState expect_ct_state; | 2784 TransportSecurityState::ExpectCTState expect_ct_state; |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2777 MockExpectCTReporter reporter; | 2928 MockExpectCTReporter reporter; |
2778 state.SetExpectCTReporter(&reporter); | 2929 state.SetExpectCTReporter(&reporter); |
2779 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 2930 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2780 TransportSecurityState::ExpectCTState expect_ct_state; | 2931 TransportSecurityState::ExpectCTState expect_ct_state; |
2781 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 2932 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2782 EXPECT_EQ(0u, reporter.num_failures()); | 2933 EXPECT_EQ(0u, reporter.num_failures()); |
2783 } | 2934 } |
2784 | 2935 |
2785 // Tests that Expect-CT reports are sent when an Expect-CT header is received | 2936 // Tests that Expect-CT reports are sent when an Expect-CT header is received |
2786 // over a non-compliant connection. | 2937 // over a non-compliant connection. |
2787 TEST_F(TransportSecurityStateTest, DynamicExpectCTNonCompliant) { | 2938 TEST_F(TransportSecurityStateTest, |
2939 DynamicExpectCTHeaderProcessingNonCompliant) { | |
2788 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; | 2940 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; |
2789 SSLInfo ssl; | 2941 SSLInfo ssl; |
2790 ssl.is_issued_by_known_root = true; | 2942 ssl.is_issued_by_known_root = true; |
2791 ssl.ct_compliance_details_available = true; | 2943 ssl.ct_compliance_details_available = true; |
2792 ssl.ct_cert_policy_compliance = | 2944 ssl.ct_cert_policy_compliance = |
2793 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 2945 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
2946 scoped_refptr<X509Certificate> cert1 = | |
2947 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
2948 scoped_refptr<X509Certificate> cert2 = | |
2949 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
2950 ASSERT_TRUE(cert1); | |
2951 ASSERT_TRUE(cert2); | |
2952 ssl.unverified_cert = cert1; | |
2953 ssl.cert = cert2; | |
2954 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", | |
2955 std::string(), std::string(), base::Time::Now(), | |
2956 ct::SCT_STATUS_INVALID_SIGNATURE, | |
2957 &ssl.signed_certificate_timestamps); | |
2794 | 2958 |
2795 base::test::ScopedFeatureList feature_list; | 2959 base::test::ScopedFeatureList feature_list; |
2796 feature_list.InitAndEnableFeature( | 2960 feature_list.InitAndEnableFeature( |
2797 TransportSecurityState::kDynamicExpectCTFeature); | 2961 TransportSecurityState::kDynamicExpectCTFeature); |
2798 TransportSecurityState state; | 2962 TransportSecurityState state; |
2799 MockExpectCTReporter reporter; | 2963 MockExpectCTReporter reporter; |
2800 state.SetExpectCTReporter(&reporter); | 2964 state.SetExpectCTReporter(&reporter); |
2801 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 2965 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2802 TransportSecurityState::ExpectCTState expect_ct_state; | 2966 TransportSecurityState::ExpectCTState expect_ct_state; |
2803 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 2967 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2804 EXPECT_EQ(1u, reporter.num_failures()); | 2968 EXPECT_EQ(1u, reporter.num_failures()); |
2805 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 2969 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
2970 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | |
2971 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | |
2972 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), | |
2973 reporter.signed_certificate_timestamps().size()); | |
2974 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, | |
2975 reporter.signed_certificate_timestamps()[0].status); | |
2976 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, | |
2977 reporter.signed_certificate_timestamps()[0].sct); | |
2978 } | |
2979 | |
2980 // Tests that CheckCTRequirements() returns false if a connection to a host | |
2981 // violates an Expect-CT header, and that it reports violations. | |
2982 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) { | |
2983 const base::Time current_time(base::Time::Now()); | |
2984 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
2985 scoped_refptr<X509Certificate> cert1 = | |
2986 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
2987 scoped_refptr<X509Certificate> cert2 = | |
2988 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
2989 ASSERT_TRUE(cert1); | |
2990 ASSERT_TRUE(cert2); | |
2991 SignedCertificateTimestampAndStatusList sct_list; | |
2992 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", | |
2993 std::string(), std::string(), base::Time::Now(), | |
2994 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); | |
2995 | |
2996 base::test::ScopedFeatureList feature_list; | |
2997 feature_list.InitAndEnableFeature( | |
2998 TransportSecurityState::kDynamicExpectCTFeature); | |
2999 | |
3000 TransportSecurityState state; | |
3001 MockExpectCTReporter reporter; | |
3002 state.SetExpectCTReporter(&reporter); | |
3003 state.AddExpectCT("example.test", expiry, true /* enforce */, | |
3004 GURL("https://example-report.test")); | |
3005 state.AddExpectCT("example-report-only.test", expiry, false /* enforce */, | |
3006 GURL("https://example-report.test")); | |
3007 state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */, | |
3008 GURL()); | |
3009 | |
3010 // Test that a connection to an unrelated host is not affected. | |
3011 EXPECT_TRUE(state.CheckCTRequirements( | |
3012 HostPortPair("example2.test", 443), true, HashValueVector(), cert1.get(), | |
3013 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3014 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3015 EXPECT_TRUE(state.CheckCTRequirements( | |
3016 HostPortPair("example2.test", 443), true, HashValueVector(), cert1.get(), | |
3017 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3018 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
3019 EXPECT_EQ(0u, reporter.num_failures()); | |
3020 | |
3021 // A connection to an Expect-CT host should be closed and reported. | |
3022 EXPECT_FALSE(state.CheckCTRequirements( | |
3023 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), | |
3024 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3025 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3026 EXPECT_EQ(1u, reporter.num_failures()); | |
3027 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | |
3028 EXPECT_EQ(443, reporter.host_port_pair().port()); | |
3029 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | |
3030 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | |
3031 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | |
3032 EXPECT_EQ(sct_list[0].status, | |
3033 reporter.signed_certificate_timestamps()[0].status); | |
3034 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | |
3035 | |
3036 // A compliant connection to an Expect-CT host should not be closed or | |
3037 // reported. | |
3038 EXPECT_TRUE(state.CheckCTRequirements( | |
3039 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), | |
3040 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3041 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | |
3042 EXPECT_EQ(1u, reporter.num_failures()); | |
3043 EXPECT_TRUE(state.CheckCTRequirements( | |
3044 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), | |
3045 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3046 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); | |
3047 EXPECT_EQ(1u, reporter.num_failures()); | |
3048 | |
3049 // A connection to a report-only host should be reported only. | |
3050 EXPECT_TRUE(state.CheckCTRequirements( | |
3051 HostPortPair("example-report-only.test", 443), true, HashValueVector(), | |
3052 cert1.get(), cert2.get(), sct_list, | |
3053 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3054 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
3055 EXPECT_EQ(2u, reporter.num_failures()); | |
3056 EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host()); | |
3057 EXPECT_EQ(443, reporter.host_port_pair().port()); | |
3058 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | |
3059 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | |
3060 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | |
3061 EXPECT_EQ(sct_list[0].status, | |
3062 reporter.signed_certificate_timestamps()[0].status); | |
3063 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | |
3064 | |
3065 // A connection to an enforce-only host should be closed but not reported. | |
3066 EXPECT_FALSE(state.CheckCTRequirements( | |
3067 HostPortPair("example-enforce-only.test", 443), true, HashValueVector(), | |
3068 cert1.get(), cert2.get(), sct_list, | |
3069 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3070 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); | |
3071 EXPECT_EQ(2u, reporter.num_failures()); | |
3072 | |
3073 // A connection with a private root should be neither enforced nor reported. | |
3074 EXPECT_TRUE(state.CheckCTRequirements( | |
3075 HostPortPair("example.test", 443), false, HashValueVector(), cert1.get(), | |
3076 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3077 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3078 EXPECT_EQ(2u, reporter.num_failures()); | |
3079 | |
3080 // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report. | |
3081 EXPECT_FALSE(state.CheckCTRequirements( | |
3082 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), | |
3083 cert2.get(), sct_list, TransportSecurityState::DISABLE_EXPECT_CT_REPORTS, | |
3084 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3085 EXPECT_EQ(2u, reporter.num_failures()); | |
3086 } | |
3087 | |
3088 // Tests that for a host that requires CT by delegate and is also | |
3089 // Expect-CT-enabled, CheckCTRequirements() sends reports. | |
3090 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) { | |
3091 using ::testing::_; | |
3092 using ::testing::Return; | |
3093 using CTRequirementLevel = | |
3094 TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
3095 | |
3096 const base::Time current_time(base::Time::Now()); | |
3097 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
3098 scoped_refptr<X509Certificate> cert1 = | |
3099 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); | |
3100 scoped_refptr<X509Certificate> cert2 = | |
3101 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | |
3102 ASSERT_TRUE(cert1); | |
3103 ASSERT_TRUE(cert2); | |
3104 SignedCertificateTimestampAndStatusList sct_list; | |
3105 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", | |
3106 std::string(), std::string(), base::Time::Now(), | |
3107 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); | |
3108 | |
3109 base::test::ScopedFeatureList feature_list; | |
3110 feature_list.InitAndEnableFeature( | |
3111 TransportSecurityState::kDynamicExpectCTFeature); | |
3112 | |
3113 TransportSecurityState state; | |
3114 MockExpectCTReporter reporter; | |
3115 state.SetExpectCTReporter(&reporter); | |
3116 state.AddExpectCT("example.test", expiry, false /* enforce */, | |
3117 GURL("https://example-report.test")); | |
3118 | |
3119 // A connection to an Expect-CT host, which also requires CT by the delegate, | |
3120 // should be closed and reported. | |
3121 MockRequireCTDelegate always_require_delegate; | |
3122 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) | |
3123 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); | |
3124 state.SetRequireCTDelegate(&always_require_delegate); | |
3125 EXPECT_FALSE(state.CheckCTRequirements( | |
3126 HostPortPair("example.test", 443), true, HashValueVector(), cert1.get(), | |
3127 cert2.get(), sct_list, TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | |
3128 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3129 EXPECT_EQ(1u, reporter.num_failures()); | |
3130 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | |
3131 EXPECT_EQ(443, reporter.host_port_pair().port()); | |
3132 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | |
3133 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | |
3134 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | |
3135 EXPECT_EQ(sct_list[0].status, | |
3136 reporter.signed_certificate_timestamps()[0].status); | |
3137 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | |
2806 } | 3138 } |
2807 | 3139 |
2808 } // namespace net | 3140 } // namespace net |
OLD | NEW |