| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include "base/memory/ptr_util.h" | 7 #include "base/memory/ptr_util.h" |
| 8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
| 9 #include "net/base/net_errors.h" | 9 #include "net/base/net_errors.h" |
| 10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 43 CRLSet* crl_set, | 43 CRLSet* crl_set, |
| 44 CertVerifyResult* verify_result, | 44 CertVerifyResult* verify_result, |
| 45 const CompletionCallback& callback, | 45 const CompletionCallback& callback, |
| 46 std::unique_ptr<Request>* out_req, | 46 std::unique_ptr<Request>* out_req, |
| 47 const NetLogWithSource& net_log) override { | 47 const NetLogWithSource& net_log) override { |
| 48 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; | 48 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; |
| 49 return ERR_FAILED; | 49 return ERR_FAILED; |
| 50 } | 50 } |
| 51 }; | 51 }; |
| 52 | 52 |
| 53 // CTPolicyEnforcer that will fail the test if it is ever called. | |
| 54 class FailsTestCTPolicyEnforcer : public CTPolicyEnforcer { | |
| 55 public: | |
| 56 FailsTestCTPolicyEnforcer() {} | |
| 57 ~FailsTestCTPolicyEnforcer() override {} | |
| 58 | |
| 59 ct::EVPolicyCompliance DoesConformToCTEVPolicy( | |
| 60 X509Certificate* cert, | |
| 61 const ct::EVCertsWhitelist* ev_whitelist, | |
| 62 const ct::SCTList& verified_scts, | |
| 63 const NetLogWithSource& net_log) override { | |
| 64 ADD_FAILURE() << "CTPolicyEnforcer::DoesConformToCTEVPolicy() should " | |
| 65 << "not be called"; | |
| 66 return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
| 67 } | |
| 68 }; | |
| 69 | |
| 70 // A mock CTPolicyEnforcer that returns a custom verification result. | 53 // A mock CTPolicyEnforcer that returns a custom verification result. |
| 71 class MockCTPolicyEnforcer : public CTPolicyEnforcer { | 54 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
| 72 public: | 55 public: |
| 73 MOCK_METHOD3(DoesConformToCertPolicy, | 56 MOCK_METHOD3(DoesConformToCertPolicy, |
| 74 ct::CertPolicyCompliance(X509Certificate* cert, | 57 ct::CertPolicyCompliance(X509Certificate* cert, |
| 75 const ct::SCTList&, | 58 const ct::SCTList&, |
| 76 const NetLogWithSource&)); | 59 const NetLogWithSource&)); |
| 77 MOCK_METHOD4(DoesConformToCTEVPolicy, | |
| 78 ct::EVPolicyCompliance(X509Certificate* cert, | |
| 79 const ct::EVCertsWhitelist*, | |
| 80 const ct::SCTList&, | |
| 81 const NetLogWithSource&)); | |
| 82 }; | 60 }; |
| 83 | 61 |
| 84 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 62 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
| 85 public: | 63 public: |
| 86 MOCK_METHOD1(IsCTRequiredForHost, | 64 MOCK_METHOD1(IsCTRequiredForHost, |
| 87 CTRequirementLevel(const std::string& host)); | 65 CTRequirementLevel(const std::string& host)); |
| 88 }; | 66 }; |
| 89 | 67 |
| 90 // Proof source callback which saves the signature into |signature|. | 68 // Proof source callback which saves the signature into |signature|. |
| 91 class SignatureSaver : public ProofSource::Callback { | 69 class SignatureSaver : public ProofSource::Callback { |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 127 class ProofVerifierChromiumTest : public ::testing::Test { | 105 class ProofVerifierChromiumTest : public ::testing::Test { |
| 128 public: | 106 public: |
| 129 ProofVerifierChromiumTest() | 107 ProofVerifierChromiumTest() |
| 130 : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, | 108 : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, |
| 131 NetLogWithSource())) {} | 109 NetLogWithSource())) {} |
| 132 | 110 |
| 133 void SetUp() override { | 111 void SetUp() override { |
| 134 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) | 112 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
| 135 .WillRepeatedly( | 113 .WillRepeatedly( |
| 136 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 114 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 137 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | |
| 138 .WillRepeatedly( | |
| 139 Return(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY)); | |
| 140 | 115 |
| 141 scoped_refptr<const CTLogVerifier> log( | 116 scoped_refptr<const CTLogVerifier> log( |
| 142 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription, | 117 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription, |
| 143 "https://test.example.com", "dns.example.com")); | 118 "https://test.example.com", "dns.example.com")); |
| 144 ASSERT_TRUE(log); | 119 ASSERT_TRUE(log); |
| 145 log_verifiers_.push_back(log); | 120 log_verifiers_.push_back(log); |
| 146 | 121 |
| 147 ct_verifier_.reset(new MultiLogCTVerifier()); | 122 ct_verifier_.reset(new MultiLogCTVerifier()); |
| 148 ct_verifier_->AddLogs(log_verifiers_); | 123 ct_verifier_->AddLogs(log_verifiers_); |
| 149 | 124 |
| (...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 304 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 279 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 305 ASSERT_TRUE(test_cert); | 280 ASSERT_TRUE(test_cert); |
| 306 | 281 |
| 307 CertVerifyResult dummy_result; | 282 CertVerifyResult dummy_result; |
| 308 dummy_result.verified_cert = test_cert; | 283 dummy_result.verified_cert = test_cert; |
| 309 dummy_result.cert_status = CERT_STATUS_IS_EV; | 284 dummy_result.cert_status = CERT_STATUS_IS_EV; |
| 310 | 285 |
| 311 MockCertVerifier dummy_verifier; | 286 MockCertVerifier dummy_verifier; |
| 312 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 287 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 313 | 288 |
| 314 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | 289 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
| 315 .WillRepeatedly( | 290 .WillRepeatedly( |
| 316 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | 291 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 317 | 292 |
| 318 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, | 293 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, |
| 319 &transport_security_state_, | 294 &transport_security_state_, |
| 320 ct_verifier_.get()); | 295 ct_verifier_.get()); |
| 321 | 296 |
| 322 std::unique_ptr<DummyProofVerifierCallback> callback( | 297 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 323 new DummyProofVerifierCallback); | 298 new DummyProofVerifierCallback); |
| 324 QuicAsyncStatus status = proof_verifier.VerifyProof( | 299 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 325 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | 300 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, |
| 326 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | 301 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), |
| (...skipping 13 matching lines...) Expand all Loading... |
| 340 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 315 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
| 341 ASSERT_TRUE(test_cert); | 316 ASSERT_TRUE(test_cert); |
| 342 | 317 |
| 343 CertVerifyResult dummy_result; | 318 CertVerifyResult dummy_result; |
| 344 dummy_result.verified_cert = test_cert; | 319 dummy_result.verified_cert = test_cert; |
| 345 dummy_result.cert_status = CERT_STATUS_IS_EV; | 320 dummy_result.cert_status = CERT_STATUS_IS_EV; |
| 346 | 321 |
| 347 MockCertVerifier dummy_verifier; | 322 MockCertVerifier dummy_verifier; |
| 348 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 323 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
| 349 | 324 |
| 350 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | 325 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
| 351 .WillRepeatedly( | 326 .WillRepeatedly( |
| 352 Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); | 327 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 353 | 328 |
| 354 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, | 329 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, |
| 355 &transport_security_state_, | 330 &transport_security_state_, |
| 356 ct_verifier_.get()); | 331 ct_verifier_.get()); |
| 357 | 332 |
| 358 std::unique_ptr<DummyProofVerifierCallback> callback( | 333 std::unique_ptr<DummyProofVerifierCallback> callback( |
| 359 new DummyProofVerifierCallback); | 334 new DummyProofVerifierCallback); |
| 360 QuicAsyncStatus status = proof_verifier.VerifyProof( | 335 QuicAsyncStatus status = proof_verifier.VerifyProof( |
| 361 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | 336 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, |
| 362 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | 337 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), |
| 363 &error_details_, &details_, std::move(callback)); | 338 &error_details_, &details_, std::move(callback)); |
| 364 ASSERT_EQ(QUIC_SUCCESS, status); | 339 ASSERT_EQ(QUIC_SUCCESS, status); |
| 365 | 340 |
| 366 ASSERT_TRUE(details_.get()); | 341 ASSERT_TRUE(details_.get()); |
| 367 ProofVerifyDetailsChromium* verify_details = | 342 ProofVerifyDetailsChromium* verify_details = |
| 368 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 343 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 369 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, | 344 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, |
| 370 verify_details->cert_verify_result.cert_status & | 345 verify_details->cert_verify_result.cert_status & |
| 371 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); | 346 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); |
| 372 } | 347 } |
| 373 | 348 |
| 374 // Tests that the certificate policy enforcer is not consulted if | |
| 375 // the certificate is not EV. | |
| 376 TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { | |
| 377 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
| 378 ASSERT_TRUE(test_cert); | |
| 379 | |
| 380 CertVerifyResult dummy_result; | |
| 381 dummy_result.verified_cert = test_cert; | |
| 382 dummy_result.cert_status = 0; | |
| 383 | |
| 384 MockCertVerifier dummy_verifier; | |
| 385 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
| 386 | |
| 387 FailsTestCTPolicyEnforcer policy_enforcer; | |
| 388 | |
| 389 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | |
| 390 &transport_security_state_, | |
| 391 ct_verifier_.get()); | |
| 392 | |
| 393 std::unique_ptr<DummyProofVerifierCallback> callback( | |
| 394 new DummyProofVerifierCallback); | |
| 395 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
| 396 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | |
| 397 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | |
| 398 &error_details_, &details_, std::move(callback)); | |
| 399 ASSERT_EQ(QUIC_SUCCESS, status); | |
| 400 | |
| 401 ASSERT_TRUE(details_.get()); | |
| 402 ProofVerifyDetailsChromium* verify_details = | |
| 403 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
| 404 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
| 405 } | |
| 406 | |
| 407 HashValueVector MakeHashValueVector(uint8_t tag) { | 349 HashValueVector MakeHashValueVector(uint8_t tag) { |
| 408 HashValue hash(HASH_VALUE_SHA256); | 350 HashValue hash(HASH_VALUE_SHA256); |
| 409 memset(hash.data(), tag, hash.size()); | 351 memset(hash.data(), tag, hash.size()); |
| 410 HashValueVector hashes; | 352 HashValueVector hashes; |
| 411 hashes.push_back(hash); | 353 hashes.push_back(hash); |
| 412 return hashes; | 354 return hashes; |
| 413 } | 355 } |
| 414 | 356 |
| 415 // Test that PKP is enforced for certificates that chain up to known roots. | 357 // Test that PKP is enforced for certificates that chain up to known roots. |
| 416 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { | 358 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 615 ASSERT_EQ(QUIC_SUCCESS, status); | 557 ASSERT_EQ(QUIC_SUCCESS, status); |
| 616 | 558 |
| 617 ASSERT_TRUE(details_.get()); | 559 ASSERT_TRUE(details_.get()); |
| 618 ProofVerifyDetailsChromium* verify_details = | 560 ProofVerifyDetailsChromium* verify_details = |
| 619 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 561 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
| 620 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 562 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
| 621 } | 563 } |
| 622 | 564 |
| 623 } // namespace test | 565 } // namespace test |
| 624 } // namespace net | 566 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
