| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 174 | 174 |
| 175 // A mock ExpectCTReporter that remembers the latest violation that was | 175 // A mock ExpectCTReporter that remembers the latest violation that was |
| 176 // reported and the number of violations reported. | 176 // reported and the number of violations reported. |
| 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
| 178 public: | 178 public: |
| 179 MockExpectCTReporter() : num_failures_(0) {} | 179 MockExpectCTReporter() : num_failures_(0) {} |
| 180 ~MockExpectCTReporter() override {} | 180 ~MockExpectCTReporter() override {} |
| 181 | 181 |
| 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
| 183 const GURL& report_uri, | 183 const GURL& report_uri, |
| 184 base::Time expiration, |
| 184 const X509Certificate* validated_certificate_chain, | 185 const X509Certificate* validated_certificate_chain, |
| 185 const X509Certificate* served_certificate_chain, | 186 const X509Certificate* served_certificate_chain, |
| 186 const SignedCertificateTimestampAndStatusList& | 187 const SignedCertificateTimestampAndStatusList& |
| 187 signed_certificate_timestamps) override { | 188 signed_certificate_timestamps) override { |
| 188 num_failures_++; | 189 num_failures_++; |
| 189 host_port_pair_ = host_port_pair; | 190 host_port_pair_ = host_port_pair; |
| 190 report_uri_ = report_uri; | 191 report_uri_ = report_uri; |
| 192 expiration_ = expiration; |
| 191 served_certificate_chain_ = served_certificate_chain; | 193 served_certificate_chain_ = served_certificate_chain; |
| 192 validated_certificate_chain_ = validated_certificate_chain; | 194 validated_certificate_chain_ = validated_certificate_chain; |
| 193 signed_certificate_timestamps_ = signed_certificate_timestamps; | 195 signed_certificate_timestamps_ = signed_certificate_timestamps; |
| 194 } | 196 } |
| 195 | 197 |
| 196 const HostPortPair& host_port_pair() { return host_port_pair_; } | 198 const HostPortPair& host_port_pair() { return host_port_pair_; } |
| 197 const GURL& report_uri() { return report_uri_; } | 199 const GURL& report_uri() { return report_uri_; } |
| 200 const base::Time& expiration() { return expiration_; } |
| 198 uint32_t num_failures() { return num_failures_; } | 201 uint32_t num_failures() { return num_failures_; } |
| 199 const X509Certificate* served_certificate_chain() { | 202 const X509Certificate* served_certificate_chain() { |
| 200 return served_certificate_chain_; | 203 return served_certificate_chain_; |
| 201 } | 204 } |
| 202 const X509Certificate* validated_certificate_chain() { | 205 const X509Certificate* validated_certificate_chain() { |
| 203 return validated_certificate_chain_; | 206 return validated_certificate_chain_; |
| 204 } | 207 } |
| 205 const SignedCertificateTimestampAndStatusList& | 208 const SignedCertificateTimestampAndStatusList& |
| 206 signed_certificate_timestamps() { | 209 signed_certificate_timestamps() { |
| 207 return signed_certificate_timestamps_; | 210 return signed_certificate_timestamps_; |
| 208 } | 211 } |
| 209 | 212 |
| 210 private: | 213 private: |
| 211 HostPortPair host_port_pair_; | 214 HostPortPair host_port_pair_; |
| 212 GURL report_uri_; | 215 GURL report_uri_; |
| 216 base::Time expiration_; |
| 213 uint32_t num_failures_; | 217 uint32_t num_failures_; |
| 214 const X509Certificate* served_certificate_chain_; | 218 const X509Certificate* served_certificate_chain_; |
| 215 const X509Certificate* validated_certificate_chain_; | 219 const X509Certificate* validated_certificate_chain_; |
| 216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; | 220 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; |
| 217 }; | 221 }; |
| 218 | 222 |
| 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 223 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
| 220 public: | 224 public: |
| 221 MOCK_METHOD1(IsCTRequiredForHost, | 225 MOCK_METHOD1(IsCTRequiredForHost, |
| 222 CTRequirementLevel(const std::string& hostname)); | 226 CTRequirementLevel(const std::string& hostname)); |
| (...skipping 1895 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2118 &ssl_info.signed_certificate_timestamps); | 2122 &ssl_info.signed_certificate_timestamps); |
| 2119 | 2123 |
| 2120 TransportSecurityState state; | 2124 TransportSecurityState state; |
| 2121 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2125 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
| 2122 MockExpectCTReporter reporter; | 2126 MockExpectCTReporter reporter; |
| 2123 state.SetExpectCTReporter(&reporter); | 2127 state.SetExpectCTReporter(&reporter); |
| 2124 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 2128 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
| 2125 EXPECT_EQ(1u, reporter.num_failures()); | 2129 EXPECT_EQ(1u, reporter.num_failures()); |
| 2126 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 2130 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
| 2127 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 2131 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
| 2132 EXPECT_TRUE(reporter.expiration().is_null()); |
| 2128 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 2133 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 2129 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | 2134 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 2130 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | 2135 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 2131 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), | 2136 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), |
| 2132 reporter.signed_certificate_timestamps().size()); | 2137 reporter.signed_certificate_timestamps().size()); |
| 2133 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, | 2138 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, |
| 2134 reporter.signed_certificate_timestamps()[0].status); | 2139 reporter.signed_certificate_timestamps()[0].status); |
| 2135 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, | 2140 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, |
| 2136 reporter.signed_certificate_timestamps()[0].sct); | 2141 reporter.signed_certificate_timestamps()[0].sct); |
| 2137 } | 2142 } |
| (...skipping 1037 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3175 feature_list.InitAndEnableFeature( | 3180 feature_list.InitAndEnableFeature( |
| 3176 TransportSecurityState::kDynamicExpectCTFeature); | 3181 TransportSecurityState::kDynamicExpectCTFeature); |
| 3177 TransportSecurityState state; | 3182 TransportSecurityState state; |
| 3178 MockExpectCTReporter reporter; | 3183 MockExpectCTReporter reporter; |
| 3179 state.SetExpectCTReporter(&reporter); | 3184 state.SetExpectCTReporter(&reporter); |
| 3180 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 3185 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
| 3181 TransportSecurityState::ExpectCTState expect_ct_state; | 3186 TransportSecurityState::ExpectCTState expect_ct_state; |
| 3182 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 3187 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
| 3183 EXPECT_EQ(1u, reporter.num_failures()); | 3188 EXPECT_EQ(1u, reporter.num_failures()); |
| 3184 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3189 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3190 EXPECT_TRUE(reporter.expiration().is_null()); |
| 3185 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); | 3191 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 3186 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); | 3192 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 3187 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), | 3193 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), |
| 3188 reporter.signed_certificate_timestamps().size()); | 3194 reporter.signed_certificate_timestamps().size()); |
| 3189 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, | 3195 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, |
| 3190 reporter.signed_certificate_timestamps()[0].status); | 3196 reporter.signed_certificate_timestamps()[0].status); |
| 3191 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, | 3197 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, |
| 3192 reporter.signed_certificate_timestamps()[0].sct); | 3198 reporter.signed_certificate_timestamps()[0].sct); |
| 3193 } | 3199 } |
| 3194 | 3200 |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3240 // A connection to an Expect-CT host should be closed and reported. | 3246 // A connection to an Expect-CT host should be closed and reported. |
| 3241 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, | 3247 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3242 state.CheckCTRequirements( | 3248 state.CheckCTRequirements( |
| 3243 HostPortPair("example.test", 443), true, HashValueVector(), | 3249 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3244 cert1.get(), cert2.get(), sct_list, | 3250 cert1.get(), cert2.get(), sct_list, |
| 3245 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 3251 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3246 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 3252 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3247 EXPECT_EQ(1u, reporter.num_failures()); | 3253 EXPECT_EQ(1u, reporter.num_failures()); |
| 3248 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3254 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3249 EXPECT_EQ(443, reporter.host_port_pair().port()); | 3255 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3256 EXPECT_EQ(expiry, reporter.expiration()); |
| 3250 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | 3257 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3251 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | 3258 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3252 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | 3259 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3253 EXPECT_EQ(sct_list[0].status, | 3260 EXPECT_EQ(sct_list[0].status, |
| 3254 reporter.signed_certificate_timestamps()[0].status); | 3261 reporter.signed_certificate_timestamps()[0].status); |
| 3255 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | 3262 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 3256 | 3263 |
| 3257 // A compliant connection to an Expect-CT host should not be closed or | 3264 // A compliant connection to an Expect-CT host should not be closed or |
| 3258 // reported. | 3265 // reported. |
| 3259 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, | 3266 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| (...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3355 state.SetRequireCTDelegate(&always_require_delegate); | 3362 state.SetRequireCTDelegate(&always_require_delegate); |
| 3356 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, | 3363 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3357 state.CheckCTRequirements( | 3364 state.CheckCTRequirements( |
| 3358 HostPortPair("example.test", 443), true, HashValueVector(), | 3365 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3359 cert1.get(), cert2.get(), sct_list, | 3366 cert1.get(), cert2.get(), sct_list, |
| 3360 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 3367 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3361 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | 3368 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3362 EXPECT_EQ(1u, reporter.num_failures()); | 3369 EXPECT_EQ(1u, reporter.num_failures()); |
| 3363 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3370 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3364 EXPECT_EQ(443, reporter.host_port_pair().port()); | 3371 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3372 EXPECT_EQ(expiry, reporter.expiration()); |
| 3365 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); | 3373 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3366 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); | 3374 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3367 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); | 3375 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3368 EXPECT_EQ(sct_list[0].status, | 3376 EXPECT_EQ(sct_list[0].status, |
| 3369 reporter.signed_certificate_timestamps()[0].status); | 3377 reporter.signed_certificate_timestamps()[0].status); |
| 3370 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); | 3378 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 3371 } | 3379 } |
| 3372 | 3380 |
| 3373 } // namespace net | 3381 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2944953002:
Add effective-expiration-date to Expect-CT reports (Closed)
