Chromium Code Reviews Chromium Code Reviews
Issue 20047002:
net: make QUIC ProofVerifier more generic. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/files/file_path.h" | 5 #include "base/files/file_path.h" |
| 6 #include "net/base/net_errors.h" | 6 #include "net/base/net_errors.h" |
| 7 #include "net/base/test_completion_callback.h" | 7 #include "net/base/test_completion_callback.h" |
| 8 #include "net/base/test_data_directory.h" | 8 #include "net/base/test_data_directory.h" |
| 9 #include "net/cert/cert_status_flags.h" | 9 #include "net/cert/cert_status_flags.h" |
| 10 #include "net/cert/cert_verify_result.h" | 10 #include "net/cert/cert_verify_result.h" |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 81 } | 81 } |
| 82 rv = verifier->VerifyProof("foo.com", server_config, wrong_certs, signature, | 82 rv = verifier->VerifyProof("foo.com", server_config, wrong_certs, signature, |
| 83 &error_details, &cert_verify_result, | 83 &error_details, &cert_verify_result, |
| 84 callback.callback()); | 84 callback.callback()); |
| 85 rv = callback.GetResult(rv); | 85 rv = callback.GetResult(rv); |
| 86 ASSERT_EQ(ERR_FAILED, rv); | 86 ASSERT_EQ(ERR_FAILED, rv); |
| 87 ASSERT_NE("", error_details); | 87 ASSERT_NE("", error_details); |
| 88 #endif // 0 | 88 #endif // 0 |
| 89 } | 89 } |
| 90 | 90 |
| 91 // TestProofVerifierCallback is a simple callback for a ProofVerifier that | |
| 92 // signals a TestCompletionCallback when called and stores the results from the | |
| 93 // ProofVerifier in pointers passed to the constructor. | |
| 94 class TestProofVerifierCallback : public ProofVerifierCallback { | |
| 95 public: | |
| 96 TestProofVerifierCallback(TestCompletionCallback* comp_callback, | |
| 97 bool* ok, | |
| 98 std::string* error_details) | |
| 99 : comp_callback_(comp_callback), | |
| 100 ok_(ok), | |
| 101 error_details_(error_details) {} | |
| 102 | |
| 103 virtual void Run(bool ok, | |
| 104 const std::string& error_details, | |
| 105 scoped_ptr<ProofVerifyDetails>* details) OVERRIDE { | |
| 106 *ok_ = ok; | |
| 107 *error_details_ = error_details; | |
| 108 | |
| 109 comp_callback_->callback().Run(0); | |
| 110 } | |
| 111 | |
| 112 private: | |
| 113 TestCompletionCallback* const comp_callback_; | |
| 114 bool* const ok_; | |
| 115 std::string* const error_details_; | |
| 116 }; | |
| 117 | |
| 118 // RunVerification runs |verifier->VerifyProof| and asserts that the result | |
| 119 // matches |expected_ok|. | |
| 120 static void RunVerification(ProofVerifier* verifier, | |
| 121 const std::string& hostname, | |
| 122 const std::string& server_config, | |
| 123 const vector<std::string>& certs, | |
| 124 const std::string& proof, | |
| 125 bool expected_ok) { | |
| 126 scoped_ptr<ProofVerifyDetails> details; | |
| 127 TestCompletionCallback comp_callback; | |
| 128 bool ok; | |
| 129 std::string error_details; | |
| 130 TestProofVerifierCallback* callback = | |
| 131 new TestProofVerifierCallback(&comp_callback, &ok, &error_details); | |
| 132 | |
| 133 ProofVerifier::Status status = verifier->VerifyProof( | |
| 134 hostname, server_config, certs, proof, &error_details, &details, | |
| 135 callback); | |
| 136 | |
| 137 switch (status) { | |
| 138 case ProofVerifier::FAILURE: | |
| 139 ASSERT_FALSE(expected_ok); | |
| 140 ASSERT_NE("", error_details); | |
| 141 return; | |
| 142 case ProofVerifier::SUCCESS: | |
| 143 ASSERT_TRUE(expected_ok); | |
| 144 ASSERT_EQ("", error_details); | |
| 145 return; | |
| 146 case ProofVerifier::PENDING: | |
| 147 comp_callback.WaitForResult(); | |
| 148 ASSERT_EQ(expected_ok, ok); | |
| 149 break; | |
| 150 } | |
| 151 } | |
| 152 | |
| 91 static string PEMCertFileToDER(const string& file_name) { | 153 static string PEMCertFileToDER(const string& file_name) { |
| 92 base::FilePath certs_dir = GetTestCertsDirectory(); | 154 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 93 scoped_refptr<X509Certificate> cert = | 155 scoped_refptr<X509Certificate> cert = |
| 94 ImportCertFromFile(certs_dir, file_name); | 156 ImportCertFromFile(certs_dir, file_name); |
| 95 CHECK_NE(static_cast<X509Certificate*>(NULL), cert); | 157 CHECK_NE(static_cast<X509Certificate*>(NULL), cert); |
| 96 | 158 |
| 97 string der_bytes; | 159 string der_bytes; |
| 98 CHECK(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes)); | 160 CHECK(X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes)); |
| 99 return der_bytes; | 161 return der_bytes; |
| 100 } | 162 } |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 219 vector<string> signatures(3); | 281 vector<string> signatures(3); |
| 220 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), | 282 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), |
| 221 sizeof(signature_data_0)); | 283 sizeof(signature_data_0)); |
| 222 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), | 284 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), |
| 223 sizeof(signature_data_1)); | 285 sizeof(signature_data_1)); |
| 224 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), | 286 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), |
| 225 sizeof(signature_data_2)); | 287 sizeof(signature_data_2)); |
| 226 | 288 |
| 227 for (size_t i = 0; i < signatures.size(); i++) { | 289 for (size_t i = 0; i < signatures.size(); i++) { |
| 228 const string& signature = signatures[i]; | 290 const string& signature = signatures[i]; |
| 229 int rv; | |
| 230 TestCompletionCallback callback; | |
| 231 rv = verifier->VerifyProof(hostname, server_config, certs, signature, | |
| 232 &error_details, &cert_verify_result, | |
| 233 callback.callback()); | |
| 234 rv = callback.GetResult(rv); | |
| 235 ASSERT_EQ(OK, rv); | |
| 236 ASSERT_EQ("", error_details); | |
| 237 ASSERT_FALSE(IsCertStatusError(cert_verify_result.cert_status)); | |
| 238 | 291 |
| 239 rv = verifier->VerifyProof("foo.com", server_config, certs, signature, | 292 RunVerification( |
| 240 &error_details, &cert_verify_result, | 293 verifier.get(), hostname, server_config, certs, signature, true); |
|
ramant (doing other things)
2013/07/29 17:04:24
nit: I was shy to ask this before. Is it good to t
| |
| 241 callback.callback()); | 294 RunVerification( |
| 242 rv = callback.GetResult(rv); | 295 verifier.get(), "foo.com", server_config, certs, signature, false); |
| 243 ASSERT_EQ(ERR_FAILED, rv); | 296 RunVerification( |
| 244 ASSERT_NE("", error_details); | 297 verifier.get(), hostname, server_config.substr(1, string::npos), |
| 245 | 298 certs, signature, false); |
| 246 rv = verifier->VerifyProof(hostname, server_config.substr(1, string::npos), | |
| 247 certs, signature, &error_details, | |
| 248 &cert_verify_result, callback.callback()); | |
| 249 rv = callback.GetResult(rv); | |
| 250 ASSERT_EQ(ERR_FAILED, rv); | |
| 251 ASSERT_NE("", error_details); | |
| 252 | 299 |
| 253 const string corrupt_signature = "1" + signature; | 300 const string corrupt_signature = "1" + signature; |
| 254 rv = verifier->VerifyProof(hostname, server_config, certs, | 301 RunVerification( |
| 255 corrupt_signature, &error_details, | 302 verifier.get(), hostname, server_config, certs, corrupt_signature, |
| 256 &cert_verify_result, callback.callback()); | 303 false); |
| 257 rv = callback.GetResult(rv); | |
| 258 ASSERT_EQ(ERR_FAILED, rv); | |
| 259 ASSERT_NE("", error_details); | |
| 260 | 304 |
| 261 vector<string> wrong_certs; | 305 vector<string> wrong_certs; |
| 262 for (size_t i = 1; i < certs.size(); i++) { | 306 for (size_t i = 1; i < certs.size(); i++) { |
| 263 wrong_certs.push_back(certs[i]); | 307 wrong_certs.push_back(certs[i]); |
| 264 } | 308 } |
| 265 rv = verifier->VerifyProof("foo.com", server_config, wrong_certs, signature, | 309 RunVerification(verifier.get(), hostname, server_config, wrong_certs, |
| 266 &error_details, &cert_verify_result, | 310 signature, false); |
| 267 callback.callback()); | |
| 268 rv = callback.GetResult(rv); | |
| 269 ASSERT_EQ(ERR_FAILED, rv); | |
| 270 ASSERT_NE("", error_details); | |
| 271 } | 311 } |
| 272 } | 312 } |
| 273 | 313 |
| 274 // A known answer test that allows us to test ProofVerifier without a working | 314 // A known answer test that allows us to test ProofVerifier without a working |
| 275 // ProofSource. | 315 // ProofSource. |
| 276 // TODO(rtenneti): Enable VerifyECDSAKnownAnswerTest on Windows. Disabled this | 316 // TODO(rtenneti): Enable VerifyECDSAKnownAnswerTest on Windows. Disabled this |
| 277 // test because X509Certificate::GetPublicKeyInfo is not returning the correct | 317 // test because X509Certificate::GetPublicKeyInfo is not returning the correct |
| 278 // type for ECDSA certificates. | 318 // type for ECDSA certificates. |
| 279 #if defined(OS_WIN) | 319 #if defined(OS_WIN) |
| 280 #define MAYBE_VerifyECDSAKnownAnswerTest DISABLED_VerifyECDSAKnownAnswerTest | 320 #define MAYBE_VerifyECDSAKnownAnswerTest DISABLED_VerifyECDSAKnownAnswerTest |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 332 vector<string> signatures(3); | 372 vector<string> signatures(3); |
| 333 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), | 373 signatures[0].assign(reinterpret_cast<const char*>(signature_data_0), |
| 334 sizeof(signature_data_0)); | 374 sizeof(signature_data_0)); |
| 335 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), | 375 signatures[1].assign(reinterpret_cast<const char*>(signature_data_1), |
| 336 sizeof(signature_data_1)); | 376 sizeof(signature_data_1)); |
| 337 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), | 377 signatures[2].assign(reinterpret_cast<const char*>(signature_data_2), |
| 338 sizeof(signature_data_2)); | 378 sizeof(signature_data_2)); |
| 339 | 379 |
| 340 for (size_t i = 0; i < signatures.size(); i++) { | 380 for (size_t i = 0; i < signatures.size(); i++) { |
| 341 const string& signature = signatures[i]; | 381 const string& signature = signatures[i]; |
| 342 int rv; | |
| 343 TestCompletionCallback callback; | |
| 344 rv = verifier->VerifyProof(hostname, server_config, certs, signature, | |
| 345 &error_details, &cert_verify_result, | |
| 346 callback.callback()); | |
| 347 rv = callback.GetResult(rv); | |
| 348 ASSERT_EQ(OK, rv); | |
| 349 ASSERT_EQ("", error_details); | |
| 350 ASSERT_FALSE(IsCertStatusError(cert_verify_result.cert_status)); | |
| 351 | 382 |
| 352 rv = verifier->VerifyProof("foo.com", server_config, certs, signature, | 383 RunVerification( |
| 353 &error_details, &cert_verify_result, | 384 verifier.get(), hostname, server_config, certs, signature, true); |
| 354 callback.callback()); | 385 RunVerification( |
| 355 rv = callback.GetResult(rv); | 386 verifier.get(), "foo.com", server_config, certs, signature, false); |
| 356 ASSERT_EQ(ERR_FAILED, rv); | 387 RunVerification( |
| 357 ASSERT_NE("", error_details); | 388 verifier.get(), hostname, server_config.substr(1, string::npos), |
| 358 | 389 certs, signature, false); |
| 359 rv = verifier->VerifyProof(hostname, server_config.substr(1, string::npos), | |
| 360 certs, signature, &error_details, | |
| 361 &cert_verify_result, callback.callback()); | |
| 362 rv = callback.GetResult(rv); | |
| 363 ASSERT_EQ(ERR_FAILED, rv); | |
| 364 ASSERT_NE("", error_details); | |
| 365 | 390 |
| 366 // An ECDSA signature is DER-encoded. Corrupt the last byte so that the | 391 // An ECDSA signature is DER-encoded. Corrupt the last byte so that the |
| 367 // signature can still be DER-decoded correctly. | 392 // signature can still be DER-decoded correctly. |
| 368 string corrupt_signature = signature; | 393 string corrupt_signature = signature; |
| 369 corrupt_signature[corrupt_signature.size() - 1] += 1; | 394 corrupt_signature[corrupt_signature.size() - 1] += 1; |
| 370 rv = verifier->VerifyProof(hostname, server_config, certs, | 395 RunVerification( |
| 371 corrupt_signature, &error_details, | 396 verifier.get(), hostname, server_config, certs, corrupt_signature, |
| 372 &cert_verify_result, callback.callback()); | 397 false); |
| 373 rv = callback.GetResult(rv); | |
| 374 ASSERT_EQ(ERR_FAILED, rv); | |
| 375 ASSERT_NE("", error_details); | |
| 376 | 398 |
| 377 // Prepending a "1" makes the DER invalid. | 399 // Prepending a "1" makes the DER invalid. |
| 378 const string bad_der_signature1 = "1" + signature; | 400 const string bad_der_signature1 = "1" + signature; |
| 379 rv = verifier->VerifyProof(hostname, server_config, certs, | 401 RunVerification( |
| 380 bad_der_signature1, &error_details, | 402 verifier.get(), hostname, server_config, certs, bad_der_signature1, |
| 381 &cert_verify_result, callback.callback()); | 403 false); |
| 382 rv = callback.GetResult(rv); | |
| 383 ASSERT_EQ(ERR_FAILED, rv); | |
| 384 ASSERT_NE("", error_details); | |
| 385 | 404 |
| 386 vector<string> wrong_certs; | 405 vector<string> wrong_certs; |
| 387 for (size_t i = 1; i < certs.size(); i++) { | 406 for (size_t i = 1; i < certs.size(); i++) { |
| 388 wrong_certs.push_back(certs[i]); | 407 wrong_certs.push_back(certs[i]); |
| 389 } | 408 } |
| 390 rv = verifier->VerifyProof("foo.com", server_config, wrong_certs, signature, | 409 RunVerification( |
| 391 &error_details, &cert_verify_result, | 410 verifier.get(), hostname, server_config, wrong_certs, signature, false); |
| 392 callback.callback()); | |
| 393 rv = callback.GetResult(rv); | |
| 394 ASSERT_EQ(ERR_FAILED, rv); | |
| 395 ASSERT_NE("", error_details); | |
| 396 } | 411 } |
| 397 } | 412 } |
| 398 | 413 |
| 399 } // namespace test | 414 } // namespace test |
| 400 } // namespace net | 415 } // namespace net |
| OLD | NEW |
