OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 2078 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2089 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | 2089 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
2090 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | 2090 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), | 2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), |
2092 reporter.signed_certificate_timestamps().size()); | 2092 reporter.signed_certificate_timestamps().size()); |
2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, | 2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, |
2094 reporter.signed_certificate_timestamps()[0].status); | 2094 reporter.signed_certificate_timestamps()[0].status); |
2095 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, | 2095 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, |
2096 reporter.signed_certificate_timestamps()[0].sct); | 2096 reporter.signed_certificate_timestamps()[0].sct); |
2097 } | 2097 } |
2098 | 2098 |
| 2099 // Tests that the Expect CT reporter is not notified for repeated noncompliant |
| 2100 // connections to the same preloaded host. |
| 2101 TEST_F(TransportSecurityStateTest, RepeatedExpectCTReportsForStaticExpectCT) { |
| 2102 HostPortPair host_port(kExpectCTStaticHostname, 443); |
| 2103 SSLInfo ssl_info; |
| 2104 ssl_info.ct_compliance_details_available = true; |
| 2105 ssl_info.ct_cert_policy_compliance = |
| 2106 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; |
| 2107 ssl_info.is_issued_by_known_root = true; |
| 2108 scoped_refptr<X509Certificate> cert1 = |
| 2109 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2110 scoped_refptr<X509Certificate> cert2 = |
| 2111 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2112 ASSERT_TRUE(cert1); |
| 2113 ASSERT_TRUE(cert2); |
| 2114 ssl_info.unverified_cert = cert1; |
| 2115 ssl_info.cert = cert2; |
| 2116 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2117 std::string(), std::string(), base::Time::Now(), |
| 2118 ct::SCT_STATUS_INVALID_SIGNATURE, |
| 2119 &ssl_info.signed_certificate_timestamps); |
| 2120 |
| 2121 TransportSecurityState state; |
| 2122 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
| 2123 MockExpectCTReporter reporter; |
| 2124 state.SetExpectCTReporter(&reporter); |
| 2125 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
| 2126 EXPECT_EQ(1u, reporter.num_failures()); |
| 2127 |
| 2128 // After processing a second header, the report should not be sent again. |
| 2129 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
| 2130 EXPECT_EQ(1u, reporter.num_failures()); |
| 2131 } |
| 2132 |
2099 // Simple test for the HSTS preload process. The trie (generated from | 2133 // Simple test for the HSTS preload process. The trie (generated from |
2100 // transport_security_state_static_unittest1.json) contains 1 entry. Test that | 2134 // transport_security_state_static_unittest1.json) contains 1 entry. Test that |
2101 // the lookup methods can find the entry and correctly decode the different | 2135 // the lookup methods can find the entry and correctly decode the different |
2102 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). | 2136 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). |
2103 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { | 2137 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { |
2104 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); | 2138 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); |
2105 | 2139 |
2106 TransportSecurityState state; | 2140 TransportSecurityState state; |
2107 TransportSecurityStateTest::EnableStaticPins(&state); | 2141 TransportSecurityStateTest::EnableStaticPins(&state); |
2108 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2142 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
(...skipping 749 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2858 EXPECT_FALSE(expect_ct_state.enforce); | 2892 EXPECT_FALSE(expect_ct_state.enforce); |
2859 EXPECT_EQ(report_uri, expect_ct_state.report_uri); | 2893 EXPECT_EQ(report_uri, expect_ct_state.report_uri); |
2860 EXPECT_EQ(expiry, expect_ct_state.expiry); | 2894 EXPECT_EQ(expiry, expect_ct_state.expiry); |
2861 | 2895 |
2862 // Test that Expect-CT state is discarded when expired. | 2896 // Test that Expect-CT state is discarded when expired. |
2863 state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000), | 2897 state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000), |
2864 true, report_uri); | 2898 true, report_uri); |
2865 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); | 2899 EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
2866 } | 2900 } |
2867 | 2901 |
| 2902 // Tests that the Expect-CT reporter is not notified for repeated dynamic |
| 2903 // Expect-CT violations for the same host/port. |
| 2904 TEST_F(TransportSecurityStateTest, DynamicExpectCTDeduping) { |
| 2905 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; |
| 2906 SSLInfo ssl; |
| 2907 ssl.is_issued_by_known_root = true; |
| 2908 ssl.ct_compliance_details_available = true; |
| 2909 ssl.ct_cert_policy_compliance = |
| 2910 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; |
| 2911 scoped_refptr<X509Certificate> cert1 = |
| 2912 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2913 scoped_refptr<X509Certificate> cert2 = |
| 2914 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2915 ASSERT_TRUE(cert1); |
| 2916 ASSERT_TRUE(cert2); |
| 2917 SignedCertificateTimestampAndStatusList sct_list; |
| 2918 |
| 2919 base::test::ScopedFeatureList feature_list; |
| 2920 feature_list.InitAndEnableFeature( |
| 2921 TransportSecurityState::kDynamicExpectCTFeature); |
| 2922 base::Time now = base::Time::Now(); |
| 2923 TransportSecurityState state; |
| 2924 MockExpectCTReporter reporter; |
| 2925 state.SetExpectCTReporter(&reporter); |
| 2926 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
| 2927 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2928 EXPECT_TRUE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
| 2929 EXPECT_EQ(GURL("http://foo.test"), expect_ct_state.report_uri); |
| 2930 EXPECT_TRUE(expect_ct_state.enforce); |
| 2931 EXPECT_LT(now, expect_ct_state.expiry); |
| 2932 // No report should be sent when the header was processed over a connection |
| 2933 // that complied with CT policy. |
| 2934 EXPECT_EQ(0u, reporter.num_failures()); |
| 2935 |
| 2936 // The first time the host fails to meet CT requirements, a report should be |
| 2937 // sent. |
| 2938 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2939 state.CheckCTRequirements( |
| 2940 HostPortPair("example.test", 443), true, HashValueVector(), |
| 2941 cert1.get(), cert2.get(), sct_list, |
| 2942 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2943 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2944 EXPECT_EQ(1u, reporter.num_failures()); |
| 2945 |
| 2946 // The second time it fails to meet CT requirements, a report should not be |
| 2947 // sent. |
| 2948 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2949 state.CheckCTRequirements( |
| 2950 HostPortPair("example.test", 443), true, HashValueVector(), |
| 2951 cert1.get(), cert2.get(), sct_list, |
| 2952 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2953 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2954 EXPECT_EQ(1u, reporter.num_failures()); |
| 2955 } |
| 2956 |
| 2957 // Tests that the Expect-CT reporter is not notified when the Expect-CT header |
| 2958 // is received repeatedly over non-compliant connections. |
| 2959 TEST_F(TransportSecurityStateTest, DynamicExpectCTHeaderProcessingDeduping) { |
| 2960 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; |
| 2961 SSLInfo ssl; |
| 2962 ssl.is_issued_by_known_root = true; |
| 2963 ssl.ct_compliance_details_available = true; |
| 2964 ssl.ct_cert_policy_compliance = |
| 2965 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
| 2966 |
| 2967 base::test::ScopedFeatureList feature_list; |
| 2968 feature_list.InitAndEnableFeature( |
| 2969 TransportSecurityState::kDynamicExpectCTFeature); |
| 2970 TransportSecurityState state; |
| 2971 MockExpectCTReporter reporter; |
| 2972 state.SetExpectCTReporter(&reporter); |
| 2973 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
| 2974 TransportSecurityState::ExpectCTState expect_ct_state; |
| 2975 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
| 2976 // The first time the header was received over a connection that failed to |
| 2977 // meet CT requirements, a report should be sent. |
| 2978 EXPECT_EQ(1u, reporter.num_failures()); |
| 2979 |
| 2980 // The second time the header was received, no report should be sent. |
| 2981 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
| 2982 EXPECT_EQ(1u, reporter.num_failures()); |
| 2983 } |
| 2984 |
2868 // Tests that dynamic Expect-CT state cannot be added when the feature is not | 2985 // Tests that dynamic Expect-CT state cannot be added when the feature is not |
2869 // enabled. | 2986 // enabled. |
2870 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) { | 2987 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) { |
2871 base::test::ScopedFeatureList feature_list; | 2988 base::test::ScopedFeatureList feature_list; |
2872 feature_list.InitAndDisableFeature( | 2989 feature_list.InitAndDisableFeature( |
2873 TransportSecurityState::kDynamicExpectCTFeature); | 2990 TransportSecurityState::kDynamicExpectCTFeature); |
2874 const std::string host("example.test"); | 2991 const std::string host("example.test"); |
2875 TransportSecurityState state; | 2992 TransportSecurityState state; |
2876 TransportSecurityState::ExpectCTState expect_ct_state; | 2993 TransportSecurityState::ExpectCTState expect_ct_state; |
2877 const base::Time current_time = base::Time::Now(); | 2994 const base::Time current_time = base::Time::Now(); |
(...skipping 308 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3186 EXPECT_EQ(443, reporter.host_port_pair().port()); | 3303 EXPECT_EQ(443, reporter.host_port_pair().port()); |
3187 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | 3304 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
3188 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | 3305 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
3189 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | 3306 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
3190 EXPECT_EQ(sct_list[0].status, | 3307 EXPECT_EQ(sct_list[0].status, |
3191 reporter.signed_certificate_timestamps()[0].status); | 3308 reporter.signed_certificate_timestamps()[0].status); |
3192 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | 3309 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
3193 } | 3310 } |
3194 | 3311 |
3195 } // namespace net | 3312 } // namespace net |
OLD | NEW |