| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 851 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 862 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); | 862 MOCK_METHOD1(SetObserver, void(CTVerifier::Observer*)); |
| 863 }; | 863 }; |
| 864 | 864 |
| 865 // A mock CTPolicyEnforcer that returns a custom verification result. | 865 // A mock CTPolicyEnforcer that returns a custom verification result. |
| 866 class MockCTPolicyEnforcer : public CTPolicyEnforcer { | 866 class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
| 867 public: | 867 public: |
| 868 MOCK_METHOD3(DoesConformToCertPolicy, | 868 MOCK_METHOD3(DoesConformToCertPolicy, |
| 869 ct::CertPolicyCompliance(X509Certificate* cert, | 869 ct::CertPolicyCompliance(X509Certificate* cert, |
| 870 const ct::SCTList&, | 870 const ct::SCTList&, |
| 871 const NetLogWithSource&)); | 871 const NetLogWithSource&)); |
| 872 MOCK_METHOD4(DoesConformToCTEVPolicy, | |
| 873 ct::EVPolicyCompliance(X509Certificate* cert, | |
| 874 const ct::EVCertsWhitelist*, | |
| 875 const ct::SCTList&, | |
| 876 const NetLogWithSource&)); | |
| 877 }; | 872 }; |
| 878 | 873 |
| 879 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 874 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
| 880 public: | 875 public: |
| 881 MOCK_METHOD1(IsCTRequiredForHost, | 876 MOCK_METHOD1(IsCTRequiredForHost, |
| 882 CTRequirementLevel(const std::string& host)); | 877 CTRequirementLevel(const std::string& host)); |
| 883 }; | 878 }; |
| 884 | 879 |
| 885 class SSLClientSocketTest : public PlatformTest { | 880 class SSLClientSocketTest : public PlatformTest { |
| 886 public: | 881 public: |
| 887 SSLClientSocketTest() | 882 SSLClientSocketTest() |
| 888 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 883 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| 889 cert_verifier_(new MockCertVerifier), | 884 cert_verifier_(new MockCertVerifier), |
| 890 transport_security_state_(new TransportSecurityState), | 885 transport_security_state_(new TransportSecurityState), |
| 891 ct_verifier_(new DoNothingCTVerifier), | 886 ct_verifier_(new DoNothingCTVerifier), |
| 892 ct_policy_enforcer_(new MockCTPolicyEnforcer) { | 887 ct_policy_enforcer_(new MockCTPolicyEnforcer) { |
| 893 cert_verifier_->set_default_result(OK); | 888 cert_verifier_->set_default_result(OK); |
| 894 context_.cert_verifier = cert_verifier_.get(); | 889 context_.cert_verifier = cert_verifier_.get(); |
| 895 context_.transport_security_state = transport_security_state_.get(); | 890 context_.transport_security_state = transport_security_state_.get(); |
| 896 context_.cert_transparency_verifier = ct_verifier_.get(); | 891 context_.cert_transparency_verifier = ct_verifier_.get(); |
| 897 context_.ct_policy_enforcer = ct_policy_enforcer_.get(); | 892 context_.ct_policy_enforcer = ct_policy_enforcer_.get(); |
| 898 | 893 |
| 899 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) | 894 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) |
| 900 .WillRepeatedly( | 895 .WillRepeatedly( |
| 901 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | 896 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 902 EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) | |
| 903 .WillRepeatedly( | |
| 904 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | |
| 905 } | 897 } |
| 906 | 898 |
| 907 protected: | 899 protected: |
| 908 // The address of the spawned test server, after calling StartTestServer(). | 900 // The address of the spawned test server, after calling StartTestServer(). |
| 909 const AddressList& addr() const { return addr_; } | 901 const AddressList& addr() const { return addr_; } |
| 910 | 902 |
| 911 // The SpawnedTestServer object, after calling StartTestServer(). | 903 // The SpawnedTestServer object, after calling StartTestServer(). |
| 912 const SpawnedTestServer* spawned_test_server() const { | 904 const SpawnedTestServer* spawned_test_server() const { |
| 913 return spawned_test_server_.get(); | 905 return spawned_test_server_.get(); |
| 914 } | 906 } |
| (...skipping 1642 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2557 | 2549 |
| 2558 SSLConfig ssl_config; | 2550 SSLConfig ssl_config; |
| 2559 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2551 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
| 2560 | 2552 |
| 2561 // Emulate compliance of the certificate to the policy. | 2553 // Emulate compliance of the certificate to the policy. |
| 2562 MockCTPolicyEnforcer policy_enforcer; | 2554 MockCTPolicyEnforcer policy_enforcer; |
| 2563 SetCTPolicyEnforcer(&policy_enforcer); | 2555 SetCTPolicyEnforcer(&policy_enforcer); |
| 2564 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) | 2556 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) |
| 2565 .WillRepeatedly( | 2557 .WillRepeatedly( |
| 2566 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); | 2558 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 2567 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | |
| 2568 .WillRepeatedly( | |
| 2569 Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); | |
| 2570 | 2559 |
| 2571 int rv; | 2560 int rv; |
| 2572 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2561 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2573 EXPECT_THAT(rv, IsOk()); | 2562 EXPECT_THAT(rv, IsOk()); |
| 2574 | 2563 |
| 2575 SSLInfo result; | 2564 SSLInfo result; |
| 2576 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2565 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2577 | 2566 |
| 2578 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); | 2567 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV); |
| 2579 } | 2568 } |
| 2580 | 2569 |
| 2581 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but | 2570 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but |
| 2582 // the EV certificate used does not conform to the CT/EV policy, its EV status | 2571 // the EV certificate used does not conform to the CT/EV policy, its EV status |
| 2583 // is removed. | 2572 // is removed. |
| 2584 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { | 2573 TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { |
| 2585 SpawnedTestServer::SSLOptions ssl_options; | 2574 SpawnedTestServer::SSLOptions ssl_options; |
| 2586 ASSERT_TRUE(StartTestServer(ssl_options)); | 2575 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 2587 | 2576 |
| 2588 SSLConfig ssl_config; | 2577 SSLConfig ssl_config; |
| 2589 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); | 2578 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config); |
| 2590 | 2579 |
| 2591 // Emulate non-compliance of the certificate to the policy. | 2580 // Emulate non-compliance of the certificate to the policy. |
| 2592 MockCTPolicyEnforcer policy_enforcer; | 2581 MockCTPolicyEnforcer policy_enforcer; |
| 2593 SetCTPolicyEnforcer(&policy_enforcer); | 2582 SetCTPolicyEnforcer(&policy_enforcer); |
| 2594 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) | 2583 EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _, _)) |
| 2595 .WillRepeatedly( | 2584 .WillRepeatedly( |
| 2596 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 2585 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2597 EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) | |
| 2598 .WillRepeatedly( | |
| 2599 Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); | |
| 2600 | 2586 |
| 2601 int rv; | 2587 int rv; |
| 2602 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2588 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2603 EXPECT_THAT(rv, IsOk()); | 2589 EXPECT_THAT(rv, IsOk()); |
| 2604 | 2590 |
| 2605 SSLInfo result; | 2591 SSLInfo result; |
| 2606 ASSERT_TRUE(sock_->GetSSLInfo(&result)); | 2592 ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
| 2607 | 2593 |
| 2608 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); | 2594 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV); |
| 2609 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); | 2595 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
| (...skipping 1391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4001 // The read buffer should be released. | 3987 // The read buffer should be released. |
| 4002 StreamSocket::SocketMemoryStats stats; | 3988 StreamSocket::SocketMemoryStats stats; |
| 4003 client->DumpMemoryStats(&stats); | 3989 client->DumpMemoryStats(&stats); |
| 4004 EXPECT_EQ(0u, stats.buffer_size); | 3990 EXPECT_EQ(0u, stats.buffer_size); |
| 4005 EXPECT_EQ(1u, stats.cert_count); | 3991 EXPECT_EQ(1u, stats.cert_count); |
| 4006 EXPECT_LT(0u, stats.cert_size); | 3992 EXPECT_LT(0u, stats.cert_size); |
| 4007 EXPECT_EQ(stats.cert_size, stats.total_size); | 3993 EXPECT_EQ(stats.cert_size, stats.total_size); |
| 4008 } | 3994 } |
| 4009 | 3995 |
| 4010 } // namespace net | 3996 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
