net/socket/ssl_client_socket_unittest.cc - Issue 517083002: Enable Certificate Transparency in the OpenSSL port.

Unified Diff: net/socket/ssl_client_socket_unittest.cc

Issue 517083002: Enable Certificate Transparency in the OpenSSL port. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ct-objects-extractor

Patch Set: hopefully fix NaCl build Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/socket/ssl_client_socket_unittest.cc

diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc

index f695e27c240f9edff7d8f4397f9f32f854190f2d..c426c9d6be2e701d7d82eec919219bc8b3fec515 100644

--- a/net/socket/ssl_client_socket_unittest.cc

+++ b/net/socket/ssl_client_socket_unittest.cc

@@ -15,6 +15,8 @@

#include "net/base/net_log_unittest.h"

#include "net/base/test_completion_callback.h"

#include "net/base/test_data_directory.h"

+#include "net/cert/asn1_util.h"

+#include "net/cert/ct_verifier.h"

#include "net/cert/mock_cert_verifier.h"

#include "net/cert/test_root_certs.h"

#include "net/dns/host_resolver.h"

@@ -656,15 +658,52 @@ class AsyncFailingChannelIDStore : public ChannelIDStore {

virtual void SetForceKeepSessionState() OVERRIDE {}

};

+// A mock CTVerifier that records every call to Verify but doesn't verify

+// anything.

+class MockCTVerifier : public CTVerifier {

Ryan Sleevi 2014/09/02 19:49:06 This is a bit weird, in particular, the tracking o

davidben 2014/09/02 22:13:45 Done. Also trimmed a lot of the tests down as they

+ public:

+ // A single call to Verify.

+ struct Call {

+ scoped_refptr<X509Certificate> cert;

+ std::string stapled_ocsp_response;

+ std::string sct_list_from_tls_extension;

+ };

+ MockCTVerifier() {}

+ const std::vector<Call>& calls() const { return calls_; }

+ virtual int Verify(X509Certificate* cert,

+ const std::string& stapled_ocsp_response,

+ const std::string& sct_list_from_tls_extension,

+ ct::CTVerifyResult* result,

+ const BoundNetLog& net_log) OVERRIDE {

+ // Save the call and otherwise do nothing.

+ Call call;

+ call.cert = cert;

+ call.stapled_ocsp_response = stapled_ocsp_response;

+ call.sct_list_from_tls_extension = sct_list_from_tls_extension;

+ calls_.push_back(call);

+ return ERR_CT_NO_SCTS_VERIFIED_OK;

+ }

+ private:

+ std::vector<Call> calls_;

+ DISALLOW_COPY_AND_ASSIGN(MockCTVerifier);

+};

class SSLClientSocketTest : public PlatformTest {

public:

SSLClientSocketTest()

: socket_factory_(ClientSocketFactory::GetDefaultFactory()),

cert_verifier_(new MockCertVerifier),

+ ct_verifier_(new MockCTVerifier),

transport_security_state_(new TransportSecurityState),

ran_handshake_completion_callback_(false) {

cert_verifier_->set_default_result(OK);

context_.cert_verifier = cert_verifier_.get();

+ context_.cert_transparency_verifier = ct_verifier_.get();

context_.transport_security_state = transport_security_state_.get();

}

@@ -742,6 +781,7 @@ class SSLClientSocketTest : public PlatformTest {

ClientSocketFactory* socket_factory_;

scoped_ptr<MockCertVerifier> cert_verifier_;

+ scoped_ptr<MockCTVerifier> ct_verifier_;

scoped_ptr<TransportSecurityState> transport_security_state_;

SSLClientSocketContext context_;

scoped_ptr<SSLClientSocket> sock_;

@@ -2511,12 +2551,12 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {

log.GetEntries(&entries);

EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));

-#if !defined(USE_OPENSSL)

+ // Check that the SCT extension was extracted in the expected format.

EXPECT_TRUE(sock->signed_cert_timestamps_received_);

-#else

- // Enabling CT for OpenSSL is currently a noop.

- EXPECT_FALSE(sock->signed_cert_timestamps_received_);

-#endif

+ ASSERT_EQ(1u, ct_verifier_->calls().size());

+ MockCTVerifier::Call call = ct_verifier_->calls()[0];

+ EXPECT_TRUE(call.stapled_ocsp_response.empty());

+ EXPECT_EQ("test", call.sct_list_from_tls_extension);

sock->Disconnect();

EXPECT_FALSE(sock->IsConnected());

@@ -2570,12 +2610,24 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {

log.GetEntries(&entries);

EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));

-#if !defined(USE_OPENSSL)

+ // Check that the OCSP response was extracted in the expected format.

EXPECT_TRUE(sock->stapled_ocsp_response_received_);

-#else

- // OCSP stapling isn't currently supported in the OpenSSL socket.

- EXPECT_FALSE(sock->stapled_ocsp_response_received_);

-#endif

+ EXPECT_EQ(1u, ct_verifier_->calls().size());

+ MockCTVerifier::Call call = ct_verifier_->calls()[0];

+ EXPECT_TRUE(call.sct_list_from_tls_extension.empty());

+ // The stapled OCSPResponse is generated each time. It should be the DER

+ // encoding of an OCSPResponse (RFC 2560), so check that it consists of a

+ // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT.

Ryan Sleevi 2014/09/02 19:49:06 What, precisely, is this testing? Just that a well

davidben 2014/09/02 22:13:45 This is testing that we get back a reasonable well

+ base::StringPiece ocsp_response(call.stapled_ocsp_response);

+ base::StringPiece sequence, response_status, response_bytes;

+ EXPECT_TRUE(asn1::GetElement(&ocsp_response, asn1::kSEQUENCE, &sequence));

+ EXPECT_TRUE(ocsp_response.empty());

+ EXPECT_TRUE(asn1::GetElement(&sequence, asn1::kENUMERATED, &response_status));

+ EXPECT_TRUE(asn1::GetElement(&sequence,

+ asn1::kContextSpecific | asn1::kConstructed | 0,

+ &response_status));

+ EXPECT_TRUE(sequence.empty());

sock->Disconnect();

EXPECT_FALSE(sock->IsConnected());

« net/socket/ssl_client_socket_openssl.cc ('K') | « net/socket/ssl_client_socket_openssl.cc ('k') | no next file » | no next file with comments »