OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
174 | 174 |
175 // A mock ExpectCTReporter that remembers the latest violation that was | 175 // A mock ExpectCTReporter that remembers the latest violation that was |
176 // reported and the number of violations reported. | 176 // reported and the number of violations reported. |
177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
178 public: | 178 public: |
179 MockExpectCTReporter() : num_failures_(0) {} | 179 MockExpectCTReporter() : num_failures_(0) {} |
180 ~MockExpectCTReporter() override {} | 180 ~MockExpectCTReporter() override {} |
181 | 181 |
182 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
183 const GURL& report_uri, | 183 const GURL& report_uri, |
| 184 base::Time expiration, |
184 const X509Certificate* validated_certificate_chain, | 185 const X509Certificate* validated_certificate_chain, |
185 const X509Certificate* served_certificate_chain, | 186 const X509Certificate* served_certificate_chain, |
186 const SignedCertificateTimestampAndStatusList& | 187 const SignedCertificateTimestampAndStatusList& |
187 signed_certificate_timestamps) override { | 188 signed_certificate_timestamps) override { |
188 num_failures_++; | 189 num_failures_++; |
189 host_port_pair_ = host_port_pair; | 190 host_port_pair_ = host_port_pair; |
190 report_uri_ = report_uri; | 191 report_uri_ = report_uri; |
| 192 expiration_ = expiration; |
191 served_certificate_chain_ = served_certificate_chain; | 193 served_certificate_chain_ = served_certificate_chain; |
192 validated_certificate_chain_ = validated_certificate_chain; | 194 validated_certificate_chain_ = validated_certificate_chain; |
193 signed_certificate_timestamps_ = signed_certificate_timestamps; | 195 signed_certificate_timestamps_ = signed_certificate_timestamps; |
194 } | 196 } |
195 | 197 |
196 const HostPortPair& host_port_pair() { return host_port_pair_; } | 198 const HostPortPair& host_port_pair() { return host_port_pair_; } |
197 const GURL& report_uri() { return report_uri_; } | 199 const GURL& report_uri() { return report_uri_; } |
| 200 const base::Time& expiration() { return expiration_; } |
198 uint32_t num_failures() { return num_failures_; } | 201 uint32_t num_failures() { return num_failures_; } |
199 const X509Certificate* served_certificate_chain() { | 202 const X509Certificate* served_certificate_chain() { |
200 return served_certificate_chain_; | 203 return served_certificate_chain_; |
201 } | 204 } |
202 const X509Certificate* validated_certificate_chain() { | 205 const X509Certificate* validated_certificate_chain() { |
203 return validated_certificate_chain_; | 206 return validated_certificate_chain_; |
204 } | 207 } |
205 const SignedCertificateTimestampAndStatusList& | 208 const SignedCertificateTimestampAndStatusList& |
206 signed_certificate_timestamps() { | 209 signed_certificate_timestamps() { |
207 return signed_certificate_timestamps_; | 210 return signed_certificate_timestamps_; |
208 } | 211 } |
209 | 212 |
210 private: | 213 private: |
211 HostPortPair host_port_pair_; | 214 HostPortPair host_port_pair_; |
212 GURL report_uri_; | 215 GURL report_uri_; |
| 216 base::Time expiration_; |
213 uint32_t num_failures_; | 217 uint32_t num_failures_; |
214 const X509Certificate* served_certificate_chain_; | 218 const X509Certificate* served_certificate_chain_; |
215 const X509Certificate* validated_certificate_chain_; | 219 const X509Certificate* validated_certificate_chain_; |
216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; | 220 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; |
217 }; | 221 }; |
218 | 222 |
219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 223 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
220 public: | 224 public: |
221 MOCK_METHOD1(IsCTRequiredForHost, | 225 MOCK_METHOD1(IsCTRequiredForHost, |
222 CTRequirementLevel(const std::string& hostname)); | 226 CTRequirementLevel(const std::string& hostname)); |
(...skipping 1895 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2118 &ssl_info.signed_certificate_timestamps); | 2122 &ssl_info.signed_certificate_timestamps); |
2119 | 2123 |
2120 TransportSecurityState state; | 2124 TransportSecurityState state; |
2121 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2125 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
2122 MockExpectCTReporter reporter; | 2126 MockExpectCTReporter reporter; |
2123 state.SetExpectCTReporter(&reporter); | 2127 state.SetExpectCTReporter(&reporter); |
2124 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 2128 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
2125 EXPECT_EQ(1u, reporter.num_failures()); | 2129 EXPECT_EQ(1u, reporter.num_failures()); |
2126 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 2130 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
2127 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 2131 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 2132 EXPECT_TRUE(reporter.expiration().is_null()); |
2128 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 2133 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
2129 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | 2134 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
2130 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | 2135 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
2131 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), | 2136 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), |
2132 reporter.signed_certificate_timestamps().size()); | 2137 reporter.signed_certificate_timestamps().size()); |
2133 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, | 2138 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, |
2134 reporter.signed_certificate_timestamps()[0].status); | 2139 reporter.signed_certificate_timestamps()[0].status); |
2135 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, | 2140 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, |
2136 reporter.signed_certificate_timestamps()[0].sct); | 2141 reporter.signed_certificate_timestamps()[0].sct); |
2137 } | 2142 } |
(...skipping 1037 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3175 feature_list.InitAndEnableFeature( | 3180 feature_list.InitAndEnableFeature( |
3176 TransportSecurityState::kDynamicExpectCTFeature); | 3181 TransportSecurityState::kDynamicExpectCTFeature); |
3177 TransportSecurityState state; | 3182 TransportSecurityState state; |
3178 MockExpectCTReporter reporter; | 3183 MockExpectCTReporter reporter; |
3179 state.SetExpectCTReporter(&reporter); | 3184 state.SetExpectCTReporter(&reporter); |
3180 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 3185 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
3181 TransportSecurityState::ExpectCTState expect_ct_state; | 3186 TransportSecurityState::ExpectCTState expect_ct_state; |
3182 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 3187 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
3183 EXPECT_EQ(1u, reporter.num_failures()); | 3188 EXPECT_EQ(1u, reporter.num_failures()); |
3184 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3189 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3190 EXPECT_TRUE(reporter.expiration().is_null()); |
3185 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | 3191 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
3186 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | 3192 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
3187 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), | 3193 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), |
3188 reporter.signed_certificate_timestamps().size()); | 3194 reporter.signed_certificate_timestamps().size()); |
3189 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, | 3195 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, |
3190 reporter.signed_certificate_timestamps()[0].status); | 3196 reporter.signed_certificate_timestamps()[0].status); |
3191 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, | 3197 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, |
3192 reporter.signed_certificate_timestamps()[0].sct); | 3198 reporter.signed_certificate_timestamps()[0].sct); |
3193 } | 3199 } |
3194 | 3200 |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3240 // A connection to an Expect-CT host should be closed and reported. | 3246 // A connection to an Expect-CT host should be closed and reported. |
3241 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, | 3247 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
3242 state.CheckCTRequirements( | 3248 state.CheckCTRequirements( |
3243 HostPortPair("example.test", 443), true, HashValueVector(), | 3249 HostPortPair("example.test", 443), true, HashValueVector(), |
3244 cert1.get(), cert2.get(), sct_list, | 3250 cert1.get(), cert2.get(), sct_list, |
3245 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 3251 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
3246 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 3252 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
3247 EXPECT_EQ(1u, reporter.num_failures()); | 3253 EXPECT_EQ(1u, reporter.num_failures()); |
3248 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3254 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
3249 EXPECT_EQ(443, reporter.host_port_pair().port()); | 3255 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3256 EXPECT_EQ(expiry, reporter.expiration()); |
3250 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | 3257 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
3251 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | 3258 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
3252 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | 3259 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
3253 EXPECT_EQ(sct_list[0].status, | 3260 EXPECT_EQ(sct_list[0].status, |
3254 reporter.signed_certificate_timestamps()[0].status); | 3261 reporter.signed_certificate_timestamps()[0].status); |
3255 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | 3262 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
3256 | 3263 |
3257 // A compliant connection to an Expect-CT host should not be closed or | 3264 // A compliant connection to an Expect-CT host should not be closed or |
3258 // reported. | 3265 // reported. |
3259 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, | 3266 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3355 state.SetRequireCTDelegate(&always_require_delegate); | 3362 state.SetRequireCTDelegate(&always_require_delegate); |
3356 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, | 3363 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
3357 state.CheckCTRequirements( | 3364 state.CheckCTRequirements( |
3358 HostPortPair("example.test", 443), true, HashValueVector(), | 3365 HostPortPair("example.test", 443), true, HashValueVector(), |
3359 cert1.get(), cert2.get(), sct_list, | 3366 cert1.get(), cert2.get(), sct_list, |
3360 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 3367 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
3361 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 3368 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
3362 EXPECT_EQ(1u, reporter.num_failures()); | 3369 EXPECT_EQ(1u, reporter.num_failures()); |
3363 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3370 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
3364 EXPECT_EQ(443, reporter.host_port_pair().port()); | 3371 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3372 EXPECT_EQ(expiry, reporter.expiration()); |
3365 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | 3373 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
3366 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | 3374 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
3367 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | 3375 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
3368 EXPECT_EQ(sct_list[0].status, | 3376 EXPECT_EQ(sct_list[0].status, |
3369 reporter.signed_certificate_timestamps()[0].status); | 3377 reporter.signed_certificate_timestamps()[0].status); |
3370 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | 3378 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
3371 } | 3379 } |
3372 | 3380 |
3373 } // namespace net | 3381 } // namespace net |
OLD | NEW |