OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include "base/memory/ptr_util.h" | 7 #include "base/memory/ptr_util.h" |
8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
9 #include "net/base/net_errors.h" | 9 #include "net/base/net_errors.h" |
10 #include "net/cert/cert_status_flags.h" | 10 #include "net/cert/cert_status_flags.h" |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
43 CRLSet* crl_set, | 43 CRLSet* crl_set, |
44 CertVerifyResult* verify_result, | 44 CertVerifyResult* verify_result, |
45 const CompletionCallback& callback, | 45 const CompletionCallback& callback, |
46 std::unique_ptr<Request>* out_req, | 46 std::unique_ptr<Request>* out_req, |
47 const NetLogWithSource& net_log) override { | 47 const NetLogWithSource& net_log) override { |
48 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; | 48 ADD_FAILURE() << "CertVerifier::Verify() should not be called"; |
49 return ERR_FAILED; | 49 return ERR_FAILED; |
50 } | 50 } |
51 }; | 51 }; |
52 | 52 |
53 // CTPolicyEnforcer that will fail the test if it is ever called. | |
54 class FailsTestCTPolicyEnforcer : public CTPolicyEnforcer { | |
55 public: | |
56 FailsTestCTPolicyEnforcer() {} | |
57 ~FailsTestCTPolicyEnforcer() override {} | |
58 | |
59 ct::EVPolicyCompliance DoesConformToCTEVPolicy( | |
60 X509Certificate* cert, | |
61 const ct::EVCertsWhitelist* ev_whitelist, | |
62 const ct::SCTList& verified_scts, | |
63 const NetLogWithSource& net_log) override { | |
64 ADD_FAILURE() << "CTPolicyEnforcer::DoesConformToCTEVPolicy() should " | |
65 << "not be called"; | |
66 return ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
67 } | |
68 }; | |
69 | |
70 // A mock CTPolicyEnforcer that returns a custom verification result. | 53 // A mock CTPolicyEnforcer that returns a custom verification result. |
71 class MockCTPolicyEnforcer : public CTPolicyEnforcer { | 54 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
72 public: | 55 public: |
73 MOCK_METHOD3(DoesConformToCertPolicy, | 56 MOCK_METHOD3(DoesConformToCertPolicy, |
74 ct::CertPolicyCompliance(X509Certificate* cert, | 57 ct::CertPolicyCompliance(X509Certificate* cert, |
75 const ct::SCTList&, | 58 const ct::SCTList&, |
76 const NetLogWithSource&)); | 59 const NetLogWithSource&)); |
77 MOCK_METHOD4(DoesConformToCTEVPolicy, | |
78 ct::EVPolicyCompliance(X509Certificate* cert, | |
79 const ct::EVCertsWhitelist*, | |
80 const ct::SCTList&, | |
81 const NetLogWithSource&)); | |
82 }; | 60 }; |
83 | 61 |
84 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 62 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
85 public: | 63 public: |
86 MOCK_METHOD1(IsCTRequiredForHost, | 64 MOCK_METHOD1(IsCTRequiredForHost, |
87 CTRequirementLevel(const std::string& host)); | 65 CTRequirementLevel(const std::string& host)); |
88 }; | 66 }; |
89 | 67 |
90 // Proof source callback which saves the signature into |signature|. | 68 // Proof source callback which saves the signature into |signature|. |
91 class SignatureSaver : public ProofSource::Callback { | 69 class SignatureSaver : public ProofSource::Callback { |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
127 class ProofVerifierChromiumTest : public ::testing::Test { | 105 class ProofVerifierChromiumTest : public ::testing::Test { |
128 public: | 106 public: |
129 ProofVerifierChromiumTest() | 107 ProofVerifierChromiumTest() |
130 : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, | 108 : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, |
131 NetLogWithSource())) {} | 109 NetLogWithSource())) {} |
132 | 110 |
133 void SetUp() override { | 111 void SetUp() override { |
134 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) | 112 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
135 .WillRepeatedly( | 113 .WillRepeatedly( |
136 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 114 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
137 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | |
138 .WillRepeatedly( | |
139 Return(ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY)); | |
140 | 115 |
141 scoped_refptr<const CTLogVerifier> log( | 116 scoped_refptr<const CTLogVerifier> log( |
142 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription, | 117 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription, |
143 "https://test.example.com", "dns.example.com")); | 118 "https://test.example.com", "dns.example.com")); |
144 ASSERT_TRUE(log); | 119 ASSERT_TRUE(log); |
145 log_verifiers_.push_back(log); | 120 log_verifiers_.push_back(log); |
146 | 121 |
147 ct_verifier_.reset(new MultiLogCTVerifier()); | 122 ct_verifier_.reset(new MultiLogCTVerifier()); |
148 ct_verifier_->AddLogs(log_verifiers_); | 123 ct_verifier_->AddLogs(log_verifiers_); |
149 | 124 |
(...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
304 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 279 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
305 ASSERT_TRUE(test_cert); | 280 ASSERT_TRUE(test_cert); |
306 | 281 |
307 CertVerifyResult dummy_result; | 282 CertVerifyResult dummy_result; |
308 dummy_result.verified_cert = test_cert; | 283 dummy_result.verified_cert = test_cert; |
309 dummy_result.cert_status = CERT_STATUS_IS_EV; | 284 dummy_result.cert_status = CERT_STATUS_IS_EV; |
310 | 285 |
311 MockCertVerifier dummy_verifier; | 286 MockCertVerifier dummy_verifier; |
312 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 287 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
313 | 288 |
314 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | 289 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
315 .WillRepeatedly( | 290 .WillRepeatedly( |
316 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | 291 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
317 | 292 |
318 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, | 293 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, |
319 &transport_security_state_, | 294 &transport_security_state_, |
320 ct_verifier_.get()); | 295 ct_verifier_.get()); |
321 | 296 |
322 std::unique_ptr<DummyProofVerifierCallback> callback( | 297 std::unique_ptr<DummyProofVerifierCallback> callback( |
323 new DummyProofVerifierCallback); | 298 new DummyProofVerifierCallback); |
324 QuicAsyncStatus status = proof_verifier.VerifyProof( | 299 QuicAsyncStatus status = proof_verifier.VerifyProof( |
325 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | 300 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, |
326 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | 301 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), |
(...skipping 13 matching lines...) Expand all Loading... |
340 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | 315 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); |
341 ASSERT_TRUE(test_cert); | 316 ASSERT_TRUE(test_cert); |
342 | 317 |
343 CertVerifyResult dummy_result; | 318 CertVerifyResult dummy_result; |
344 dummy_result.verified_cert = test_cert; | 319 dummy_result.verified_cert = test_cert; |
345 dummy_result.cert_status = CERT_STATUS_IS_EV; | 320 dummy_result.cert_status = CERT_STATUS_IS_EV; |
346 | 321 |
347 MockCertVerifier dummy_verifier; | 322 MockCertVerifier dummy_verifier; |
348 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | 323 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); |
349 | 324 |
350 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | 325 EXPECT_CALL(ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
351 .WillRepeatedly( | 326 .WillRepeatedly( |
352 Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); | 327 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
353 | 328 |
354 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, | 329 ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, |
355 &transport_security_state_, | 330 &transport_security_state_, |
356 ct_verifier_.get()); | 331 ct_verifier_.get()); |
357 | 332 |
358 std::unique_ptr<DummyProofVerifierCallback> callback( | 333 std::unique_ptr<DummyProofVerifierCallback> callback( |
359 new DummyProofVerifierCallback); | 334 new DummyProofVerifierCallback); |
360 QuicAsyncStatus status = proof_verifier.VerifyProof( | 335 QuicAsyncStatus status = proof_verifier.VerifyProof( |
361 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | 336 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, |
362 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | 337 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), |
363 &error_details_, &details_, std::move(callback)); | 338 &error_details_, &details_, std::move(callback)); |
364 ASSERT_EQ(QUIC_SUCCESS, status); | 339 ASSERT_EQ(QUIC_SUCCESS, status); |
365 | 340 |
366 ASSERT_TRUE(details_.get()); | 341 ASSERT_TRUE(details_.get()); |
367 ProofVerifyDetailsChromium* verify_details = | 342 ProofVerifyDetailsChromium* verify_details = |
368 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 343 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
369 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, | 344 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED, |
370 verify_details->cert_verify_result.cert_status & | 345 verify_details->cert_verify_result.cert_status & |
371 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); | 346 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV)); |
372 } | 347 } |
373 | 348 |
374 // Tests that the certificate policy enforcer is not consulted if | |
375 // the certificate is not EV. | |
376 TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { | |
377 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate(); | |
378 ASSERT_TRUE(test_cert); | |
379 | |
380 CertVerifyResult dummy_result; | |
381 dummy_result.verified_cert = test_cert; | |
382 dummy_result.cert_status = 0; | |
383 | |
384 MockCertVerifier dummy_verifier; | |
385 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); | |
386 | |
387 FailsTestCTPolicyEnforcer policy_enforcer; | |
388 | |
389 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, | |
390 &transport_security_state_, | |
391 ct_verifier_.get()); | |
392 | |
393 std::unique_ptr<DummyProofVerifierCallback> callback( | |
394 new DummyProofVerifierCallback); | |
395 QuicAsyncStatus status = proof_verifier.VerifyProof( | |
396 kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_35, kTestChloHash, | |
397 certs_, kTestEmptySCT, GetTestSignature(), verify_context_.get(), | |
398 &error_details_, &details_, std::move(callback)); | |
399 ASSERT_EQ(QUIC_SUCCESS, status); | |
400 | |
401 ASSERT_TRUE(details_.get()); | |
402 ProofVerifyDetailsChromium* verify_details = | |
403 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | |
404 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | |
405 } | |
406 | |
407 HashValueVector MakeHashValueVector(uint8_t tag) { | 349 HashValueVector MakeHashValueVector(uint8_t tag) { |
408 HashValue hash(HASH_VALUE_SHA256); | 350 HashValue hash(HASH_VALUE_SHA256); |
409 memset(hash.data(), tag, hash.size()); | 351 memset(hash.data(), tag, hash.size()); |
410 HashValueVector hashes; | 352 HashValueVector hashes; |
411 hashes.push_back(hash); | 353 hashes.push_back(hash); |
412 return hashes; | 354 return hashes; |
413 } | 355 } |
414 | 356 |
415 // Test that PKP is enforced for certificates that chain up to known roots. | 357 // Test that PKP is enforced for certificates that chain up to known roots. |
416 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { | 358 TEST_F(ProofVerifierChromiumTest, PKPEnforced) { |
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
615 ASSERT_EQ(QUIC_SUCCESS, status); | 557 ASSERT_EQ(QUIC_SUCCESS, status); |
616 | 558 |
617 ASSERT_TRUE(details_.get()); | 559 ASSERT_TRUE(details_.get()); |
618 ProofVerifyDetailsChromium* verify_details = | 560 ProofVerifyDetailsChromium* verify_details = |
619 static_cast<ProofVerifyDetailsChromium*>(details_.get()); | 561 static_cast<ProofVerifyDetailsChromium*>(details_.get()); |
620 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); | 562 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status); |
621 } | 563 } |
622 | 564 |
623 } // namespace test | 565 } // namespace test |
624 } // namespace net | 566 } // namespace net |
OLD | NEW |