Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(30)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state_unittest.cc

Issue 2850033002: Check Expect-CT at connection setup (Closed)
Patch Set: fix comment typo Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/transport_security_state.cc ('k') | net/quic/chromium/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 const char* const kBadPath[] = { 86 const char* const kBadPath[] = {
87 "sha1/111111111111111111111111111=", 87 "sha1/111111111111111111111111111=",
88 "sha1/222222222222222222222222222=", 88 "sha1/222222222222222222222222222=",
89 "sha1/333333333333333333333333333=", 89 "sha1/333333333333333333333333333=",
90 "sha256/1111111111111111111111111111111111111111111=", 90 "sha256/1111111111111111111111111111111111111111111=",
91 "sha256/2222222222222222222222222222222222222222222=", 91 "sha256/2222222222222222222222222222222222222222222=",
92 "sha256/3333333333333333333333333333333333333333333=", 92 "sha256/3333333333333333333333333333333333333333333=",
93 nullptr, 93 nullptr,
94 }; 94 };
95 95
96 // Constructs a SignedCertificateTimestampAndStatus with the given information
97 // and appends it to |sct_list|.
98 void MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::Origin origin,
99 const std::string& log_id,
100 const std::string& extensions,
101 const std::string& signature_data,
102 const base::Time& timestamp,
103 ct::SCTVerifyStatus status,
104 SignedCertificateTimestampAndStatusList* sct_list) {
105 scoped_refptr<net::ct::SignedCertificateTimestamp> sct(
106 new net::ct::SignedCertificateTimestamp());
107 sct->version = net::ct::SignedCertificateTimestamp::V1;
108 sct->log_id = log_id;
109 sct->extensions = extensions;
110 sct->timestamp = timestamp;
111 sct->signature.signature_data = signature_data;
112 sct->origin = origin;
113 sct_list->push_back(net::SignedCertificateTimestampAndStatus(sct, status));
114 }
115
96 // A mock ReportSenderInterface that just remembers the latest report 116 // A mock ReportSenderInterface that just remembers the latest report
97 // URI and report to be sent. 117 // URI and report to be sent.
98 class MockCertificateReportSender 118 class MockCertificateReportSender
99 : public TransportSecurityState::ReportSenderInterface { 119 : public TransportSecurityState::ReportSenderInterface {
100 public: 120 public:
101 MockCertificateReportSender() {} 121 MockCertificateReportSender() {}
102 ~MockCertificateReportSender() override {} 122 ~MockCertificateReportSender() override {}
103 123
104 void Send(const GURL& report_uri, 124 void Send(const GURL& report_uri,
105 base::StringPiece content_type, 125 base::StringPiece content_type,
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
154 174
155 // A mock ExpectCTReporter that remembers the latest violation that was 175 // A mock ExpectCTReporter that remembers the latest violation that was
156 // reported and the number of violations reported. 176 // reported and the number of violations reported.
157 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
158 public: 178 public:
159 MockExpectCTReporter() : num_failures_(0) {} 179 MockExpectCTReporter() : num_failures_(0) {}
160 ~MockExpectCTReporter() override {} 180 ~MockExpectCTReporter() override {}
161 181
162 void OnExpectCTFailed(const HostPortPair& host_port_pair, 182 void OnExpectCTFailed(const HostPortPair& host_port_pair,
163 const GURL& report_uri, 183 const GURL& report_uri,
164 const net::SSLInfo& ssl_info) override { 184 const X509Certificate* validated_certificate_chain,
185 const X509Certificate* served_certificate_chain,
186 const SignedCertificateTimestampAndStatusList&
187 signed_certificate_timestamps) override {
165 num_failures_++; 188 num_failures_++;
166 host_port_pair_ = host_port_pair; 189 host_port_pair_ = host_port_pair;
167 report_uri_ = report_uri; 190 report_uri_ = report_uri;
168 ssl_info_ = ssl_info; 191 served_certificate_chain_ = served_certificate_chain;
192 validated_certificate_chain_ = validated_certificate_chain;
193 signed_certificate_timestamps_ = signed_certificate_timestamps;
169 } 194 }
170 195
171 const HostPortPair& host_port_pair() { return host_port_pair_; } 196 const HostPortPair& host_port_pair() { return host_port_pair_; }
172 const GURL& report_uri() { return report_uri_; } 197 const GURL& report_uri() { return report_uri_; }
173 const SSLInfo& ssl_info() { return ssl_info_; }
174 uint32_t num_failures() { return num_failures_; } 198 uint32_t num_failures() { return num_failures_; }
199 const X509Certificate* served_certificate_chain() {
200 return served_certificate_chain_;
201 }
202 const X509Certificate* validated_certificate_chain() {
203 return validated_certificate_chain_;
204 }
205 const SignedCertificateTimestampAndStatusList&
206 signed_certificate_timestamps() {
207 return signed_certificate_timestamps_;
208 }
175 209
176 private: 210 private:
177 HostPortPair host_port_pair_; 211 HostPortPair host_port_pair_;
178 GURL report_uri_; 212 GURL report_uri_;
179 SSLInfo ssl_info_;
180 uint32_t num_failures_; 213 uint32_t num_failures_;
214 const X509Certificate* served_certificate_chain_;
215 const X509Certificate* validated_certificate_chain_;
216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_;
181 }; 217 };
182 218
183 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
184 public: 220 public:
185 MOCK_METHOD1(IsCTRequiredForHost, 221 MOCK_METHOD1(IsCTRequiredForHost,
186 CTRequirementLevel(const std::string& hostname)); 222 CTRequirementLevel(const std::string& hostname));
187 }; 223 };
188 224
189 void CompareCertificateChainWithList( 225 void CompareCertificateChainWithList(
190 const scoped_refptr<X509Certificate>& cert_chain, 226 const scoped_refptr<X509Certificate>& cert_chain,
(...skipping 1828 matching lines...) Expand 10 before | Expand all | Expand 10 after
2019 2055
2020 // Tests that the Expect CT reporter is notified for noncompliant 2056 // Tests that the Expect CT reporter is notified for noncompliant
2021 // connections. 2057 // connections.
2022 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { 2058 TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
2023 HostPortPair host_port(kExpectCTStaticHostname, 443); 2059 HostPortPair host_port(kExpectCTStaticHostname, 443);
2024 SSLInfo ssl_info; 2060 SSLInfo ssl_info;
2025 ssl_info.ct_compliance_details_available = true; 2061 ssl_info.ct_compliance_details_available = true;
2026 ssl_info.ct_cert_policy_compliance = 2062 ssl_info.ct_cert_policy_compliance =
2027 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; 2063 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
2028 ssl_info.is_issued_by_known_root = true; 2064 ssl_info.is_issued_by_known_root = true;
2065 scoped_refptr<X509Certificate> cert1 =
2066 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
2067 scoped_refptr<X509Certificate> cert2 =
2068 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2069 ASSERT_TRUE(cert1);
2070 ASSERT_TRUE(cert2);
2071 ssl_info.unverified_cert = cert1;
2072 ssl_info.cert = cert2;
2073 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
2074 std::string(), std::string(), base::Time::Now(),
2075 ct::SCT_STATUS_INVALID_SIGNATURE,
2076 &ssl_info.signed_certificate_timestamps);
2029 2077
2030 TransportSecurityState state; 2078 TransportSecurityState state;
2031 TransportSecurityStateTest::EnableStaticExpectCT(&state); 2079 TransportSecurityStateTest::EnableStaticExpectCT(&state);
2032 MockExpectCTReporter reporter; 2080 MockExpectCTReporter reporter;
2033 state.SetExpectCTReporter(&reporter); 2081 state.SetExpectCTReporter(&reporter);
2034 state.ProcessExpectCTHeader("preload", host_port, ssl_info); 2082 state.ProcessExpectCTHeader("preload", host_port, ssl_info);
2035 EXPECT_EQ(1u, reporter.num_failures()); 2083 EXPECT_EQ(1u, reporter.num_failures());
2036 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available);
2037 EXPECT_EQ(ssl_info.ct_cert_policy_compliance,
2038 reporter.ssl_info().ct_cert_policy_compliance);
2039 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); 2084 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
2040 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); 2085 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
2041 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); 2086 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
2087 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain());
2088 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain());
2089 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(),
2090 reporter.signed_certificate_timestamps().size());
2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status,
2092 reporter.signed_certificate_timestamps()[0].status);
2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct,
2094 reporter.signed_certificate_timestamps()[0].sct);
2042 } 2095 }
2043 2096
2044 // Simple test for the HSTS preload process. The trie (generated from 2097 // Simple test for the HSTS preload process. The trie (generated from
2045 // transport_security_state_static_unittest1.json) contains 1 entry. Test that 2098 // transport_security_state_static_unittest1.json) contains 1 entry. Test that
2046 // the lookup methods can find the entry and correctly decode the different 2099 // the lookup methods can find the entry and correctly decode the different
2047 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). 2100 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple).
2048 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { 2101 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) {
2049 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); 2102 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource);
2050 2103
2051 TransportSecurityState state; 2104 TransportSecurityState state;
(...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after
2501 scoped_refptr<X509Certificate> cert = 2554 scoped_refptr<X509Certificate> cert =
2502 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); 2555 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2503 ASSERT_TRUE(cert); 2556 ASSERT_TRUE(cert);
2504 2557
2505 HashValueVector hashes; 2558 HashValueVector hashes;
2506 hashes.push_back(HashValue( 2559 hashes.push_back(HashValue(
2507 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); 2560 X509Certificate::CalculateFingerprint256(cert->os_cert_handle())));
2508 2561
2509 { 2562 {
2510 TransportSecurityState state; 2563 TransportSecurityState state;
2511 bool original_status = 2564 const TransportSecurityState::CTRequirementsStatus original_status =
2512 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2565 state.CheckCTRequirements(
2566 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2567 cert.get(), SignedCertificateTimestampAndStatusList(),
2568 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2569 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2513 2570
2514 MockRequireCTDelegate always_require_delegate; 2571 MockRequireCTDelegate always_require_delegate;
2515 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) 2572 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_))
2516 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); 2573 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
2517 state.SetRequireCTDelegate(&always_require_delegate); 2574 state.SetRequireCTDelegate(&always_require_delegate);
2518 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2575 EXPECT_EQ(
2576 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
2577 state.CheckCTRequirements(
2578 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2579 cert.get(), SignedCertificateTimestampAndStatusList(),
2580 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2581 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2582 EXPECT_EQ(
2583 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
2584 state.CheckCTRequirements(
2585 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2586 cert.get(), SignedCertificateTimestampAndStatusList(),
2587 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2588 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
2589 EXPECT_EQ(
2590 TransportSecurityState::CT_REQUIREMENTS_MET,
2591 state.CheckCTRequirements(
2592 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2593 cert.get(), SignedCertificateTimestampAndStatusList(),
2594 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2595 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
2596 EXPECT_EQ(
2597 TransportSecurityState::CT_REQUIREMENTS_MET,
2598 state.CheckCTRequirements(
2599 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2600 cert.get(), SignedCertificateTimestampAndStatusList(),
2601 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2602 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
2519 2603
2520 state.SetRequireCTDelegate(nullptr); 2604 state.SetRequireCTDelegate(nullptr);
2521 EXPECT_EQ(original_status, 2605 EXPECT_EQ(
2522 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2606 original_status,
2607 state.CheckCTRequirements(
2608 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2609 cert.get(), SignedCertificateTimestampAndStatusList(),
2610 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2611 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2523 } 2612 }
2524 2613
2525 { 2614 {
2526 TransportSecurityState state; 2615 TransportSecurityState state;
2527 bool original_status = 2616 const TransportSecurityState::CTRequirementsStatus original_status =
2528 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2617 state.CheckCTRequirements(
2618 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2619 cert.get(), SignedCertificateTimestampAndStatusList(),
2620 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2621 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2529 2622
2530 MockRequireCTDelegate never_require_delegate; 2623 MockRequireCTDelegate never_require_delegate;
2531 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) 2624 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_))
2532 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); 2625 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));
2533 state.SetRequireCTDelegate(&never_require_delegate); 2626 state.SetRequireCTDelegate(&never_require_delegate);
2534 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2627 EXPECT_EQ(
2628 TransportSecurityState::CT_REQUIREMENTS_MET,
2629 state.CheckCTRequirements(
2630 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2631 cert.get(), SignedCertificateTimestampAndStatusList(),
2632 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2633 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2634 EXPECT_EQ(
2635 TransportSecurityState::CT_REQUIREMENTS_MET,
2636 state.CheckCTRequirements(
2637 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2638 cert.get(), SignedCertificateTimestampAndStatusList(),
2639 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2640 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
2535 2641
2536 state.SetRequireCTDelegate(nullptr); 2642 state.SetRequireCTDelegate(nullptr);
2537 EXPECT_EQ(original_status, 2643 EXPECT_EQ(
2538 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2644 original_status,
2645 state.CheckCTRequirements(
2646 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2647 cert.get(), SignedCertificateTimestampAndStatusList(),
2648 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2649 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2539 } 2650 }
2540 2651
2541 { 2652 {
2542 TransportSecurityState state; 2653 TransportSecurityState state;
2543 bool original_status = 2654 const TransportSecurityState::CTRequirementsStatus original_status =
2544 state.ShouldRequireCT("www.example.com", cert.get(), hashes); 2655 state.CheckCTRequirements(
2656 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2657 cert.get(), SignedCertificateTimestampAndStatusList(),
2658 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2659 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS);
2545 2660
2546 MockRequireCTDelegate default_require_ct_delegate; 2661 MockRequireCTDelegate default_require_ct_delegate;
2547 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) 2662 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_))
2548 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); 2663 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT));
2549 state.SetRequireCTDelegate(&default_require_ct_delegate); 2664 state.SetRequireCTDelegate(&default_require_ct_delegate);
2550 EXPECT_EQ(original_status, 2665 EXPECT_EQ(
2551 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2666 original_status,
2667 state.CheckCTRequirements(
2668 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2669 cert.get(), SignedCertificateTimestampAndStatusList(),
2670 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2671 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2552 2672
2553 state.SetRequireCTDelegate(nullptr); 2673 state.SetRequireCTDelegate(nullptr);
2554 EXPECT_EQ(original_status, 2674 EXPECT_EQ(
2555 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); 2675 original_status,
2676 state.CheckCTRequirements(
2677 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
2678 cert.get(), SignedCertificateTimestampAndStatusList(),
2679 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2680 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2556 } 2681 }
2557 } 2682 }
2558 2683
2559 // Tests that Certificate Transparency is required for Symantec-issued 2684 // Tests that Certificate Transparency is required for Symantec-issued
2560 // certificates, unless the certificate was issued prior to 1 June 2016 2685 // certificates, unless the certificate was issued prior to 1 June 2016
2561 // or the issuing CA is whitelisted as independently operated. 2686 // or the issuing CA is whitelisted as independently operated.
2562 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { 2687 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
2563 // Test certificates before and after the 1 June 2016 deadline. 2688 // Test certificates before and after the 1 June 2016 deadline.
2564 scoped_refptr<X509Certificate> before_cert = 2689 scoped_refptr<X509Certificate> before_cert =
2565 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); 2690 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem");
(...skipping 11 matching lines...) Expand all
2577 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, 2702 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48,
2578 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; 2703 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}};
2579 2704
2580 TransportSecurityState state; 2705 TransportSecurityState state;
2581 2706
2582 HashValueVector hashes; 2707 HashValueVector hashes;
2583 hashes.push_back(HashValue(symantec_hash_value)); 2708 hashes.push_back(HashValue(symantec_hash_value));
2584 2709
2585 // Certificates issued by Symantec prior to 1 June 2016 should not 2710 // Certificates issued by Symantec prior to 1 June 2016 should not
2586 // be required to be disclosed via CT. 2711 // be required to be disclosed via CT.
2587 EXPECT_FALSE( 2712 EXPECT_EQ(
2588 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2713 TransportSecurityState::CT_REQUIREMENTS_MET,
2714 state.CheckCTRequirements(
2715 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2716 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2717 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2718 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2589 2719
2590 // ... but certificates issued after 1 June 2016 are required to be... 2720 // ... but certificates issued after 1 June 2016 are required to be...
2591 EXPECT_TRUE( 2721 EXPECT_EQ(
2592 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2722 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
2723 state.CheckCTRequirements(
2724 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2725 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2726 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2727 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2728 EXPECT_EQ(
2729 TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
2730 state.CheckCTRequirements(
2731 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2732 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2733 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2734 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
2735 EXPECT_EQ(
2736 TransportSecurityState::CT_REQUIREMENTS_MET,
2737 state.CheckCTRequirements(
2738 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2739 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2740 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2741 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
2742 EXPECT_EQ(
2743 TransportSecurityState::CT_REQUIREMENTS_MET,
2744 state.CheckCTRequirements(
2745 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2746 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2747 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2748 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
2593 2749
2594 // ... unless they were issued by an excluded intermediate. 2750 // ... unless they were issued by an excluded intermediate.
2595 hashes.push_back(HashValue(google_hash_value)); 2751 hashes.push_back(HashValue(google_hash_value));
2596 EXPECT_FALSE( 2752 EXPECT_EQ(
2597 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2753 TransportSecurityState::CT_REQUIREMENTS_MET,
2598 EXPECT_FALSE( 2754 state.CheckCTRequirements(
2599 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2755 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2756 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2757 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2758 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2759 EXPECT_EQ(
2760 TransportSecurityState::CT_REQUIREMENTS_MET,
2761 state.CheckCTRequirements(
2762 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2763 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2764 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2765 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2600 2766
2601 // And other certificates should remain unaffected. 2767 // And other certificates should remain unaffected.
2602 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; 2768 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}};
2603 HashValueVector unrelated_hashes; 2769 HashValueVector unrelated_hashes;
2604 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); 2770 unrelated_hashes.push_back(HashValue(unrelated_hash_value));
2605 2771
2606 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(), 2772 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
2607 unrelated_hashes)); 2773 state.CheckCTRequirements(
2608 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(), 2774 HostPortPair("www.example.com", 443), true, unrelated_hashes,
2609 unrelated_hashes)); 2775 before_cert.get(), before_cert.get(),
2776 SignedCertificateTimestampAndStatusList(),
2777 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2778 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2779 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
2780 state.CheckCTRequirements(
2781 HostPortPair("www.example.com", 443), true, unrelated_hashes,
2782 after_cert.get(), after_cert.get(),
2783 SignedCertificateTimestampAndStatusList(),
2784 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2785 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2610 2786
2611 // And the emergency field trial should disable the requirement, if 2787 // And the emergency field trial should disable the requirement, if
2612 // necessary. 2788 // necessary.
2613 hashes.clear(); 2789 hashes.clear();
2614 hashes.push_back(HashValue(symantec_hash_value)); 2790 hashes.push_back(HashValue(symantec_hash_value));
2615 base::FieldTrialList field_trial_list( 2791 base::FieldTrialList field_trial_list(
2616 base::MakeUnique<base::MockEntropyProvider>()); 2792 base::MakeUnique<base::MockEntropyProvider>());
2617 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", 2793 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
2618 "disabled"); 2794 "disabled");
2619 2795
2620 EXPECT_FALSE( 2796 EXPECT_EQ(
2621 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); 2797 TransportSecurityState::CT_REQUIREMENTS_MET,
2622 EXPECT_FALSE( 2798 state.CheckCTRequirements(
2623 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); 2799 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(),
2800 before_cert.get(), SignedCertificateTimestampAndStatusList(),
2801 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2802 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2803 EXPECT_EQ(
2804 TransportSecurityState::CT_REQUIREMENTS_MET,
2805 state.CheckCTRequirements(
2806 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(),
2807 after_cert.get(), SignedCertificateTimestampAndStatusList(),
2808 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
2809 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
2624 } 2810 }
2625 2811
2626 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). 2812 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData().
2627 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { 2813 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) {
2628 base::test::ScopedFeatureList feature_list; 2814 base::test::ScopedFeatureList feature_list;
2629 feature_list.InitAndEnableFeature( 2815 feature_list.InitAndEnableFeature(
2630 TransportSecurityState::kDynamicExpectCTFeature); 2816 TransportSecurityState::kDynamicExpectCTFeature);
2631 const std::string host("example.test"); 2817 const std::string host("example.test");
2632 TransportSecurityState state; 2818 TransportSecurityState state;
2633 TransportSecurityState::ExpectCTState expect_ct_state; 2819 TransportSecurityState::ExpectCTState expect_ct_state;
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after
2777 MockExpectCTReporter reporter; 2963 MockExpectCTReporter reporter;
2778 state.SetExpectCTReporter(&reporter); 2964 state.SetExpectCTReporter(&reporter);
2779 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); 2965 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
2780 TransportSecurityState::ExpectCTState expect_ct_state; 2966 TransportSecurityState::ExpectCTState expect_ct_state;
2781 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); 2967 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state));
2782 EXPECT_EQ(0u, reporter.num_failures()); 2968 EXPECT_EQ(0u, reporter.num_failures());
2783 } 2969 }
2784 2970
2785 // Tests that Expect-CT reports are sent when an Expect-CT header is received 2971 // Tests that Expect-CT reports are sent when an Expect-CT header is received
2786 // over a non-compliant connection. 2972 // over a non-compliant connection.
2787 TEST_F(TransportSecurityStateTest, DynamicExpectCTNonCompliant) { 2973 TEST_F(TransportSecurityStateTest,
2974 DynamicExpectCTHeaderProcessingNonCompliant) {
2788 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; 2975 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\"";
2789 SSLInfo ssl; 2976 SSLInfo ssl;
2790 ssl.is_issued_by_known_root = true; 2977 ssl.is_issued_by_known_root = true;
2791 ssl.ct_compliance_details_available = true; 2978 ssl.ct_compliance_details_available = true;
2792 ssl.ct_cert_policy_compliance = 2979 ssl.ct_cert_policy_compliance =
2793 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; 2980 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
2981 scoped_refptr<X509Certificate> cert1 =
2982 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
2983 scoped_refptr<X509Certificate> cert2 =
2984 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
2985 ASSERT_TRUE(cert1);
2986 ASSERT_TRUE(cert2);
2987 ssl.unverified_cert = cert1;
2988 ssl.cert = cert2;
2989 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
2990 std::string(), std::string(), base::Time::Now(),
2991 ct::SCT_STATUS_INVALID_SIGNATURE,
2992 &ssl.signed_certificate_timestamps);
2794 2993
2795 base::test::ScopedFeatureList feature_list; 2994 base::test::ScopedFeatureList feature_list;
2796 feature_list.InitAndEnableFeature( 2995 feature_list.InitAndEnableFeature(
2797 TransportSecurityState::kDynamicExpectCTFeature); 2996 TransportSecurityState::kDynamicExpectCTFeature);
2798 TransportSecurityState state; 2997 TransportSecurityState state;
2799 MockExpectCTReporter reporter; 2998 MockExpectCTReporter reporter;
2800 state.SetExpectCTReporter(&reporter); 2999 state.SetExpectCTReporter(&reporter);
2801 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); 3000 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
2802 TransportSecurityState::ExpectCTState expect_ct_state; 3001 TransportSecurityState::ExpectCTState expect_ct_state;
2803 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); 3002 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state));
2804 EXPECT_EQ(1u, reporter.num_failures()); 3003 EXPECT_EQ(1u, reporter.num_failures());
2805 EXPECT_EQ("example.test", reporter.host_port_pair().host()); 3004 EXPECT_EQ("example.test", reporter.host_port_pair().host());
3005 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain());
3006 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain());
3007 EXPECT_EQ(ssl.signed_certificate_timestamps.size(),
3008 reporter.signed_certificate_timestamps().size());
3009 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status,
3010 reporter.signed_certificate_timestamps()[0].status);
3011 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct,
3012 reporter.signed_certificate_timestamps()[0].sct);
3013 }
3014
3015 // Tests that CheckCTRequirements() returns false if a connection to a host
3016 // violates an Expect-CT header, and that it reports violations.
3017 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
3018 const base::Time current_time(base::Time::Now());
3019 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
3020 scoped_refptr<X509Certificate> cert1 =
3021 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
3022 scoped_refptr<X509Certificate> cert2 =
3023 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
3024 ASSERT_TRUE(cert1);
3025 ASSERT_TRUE(cert2);
3026 SignedCertificateTimestampAndStatusList sct_list;
3027 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
3028 std::string(), std::string(), base::Time::Now(),
3029 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
3030
3031 base::test::ScopedFeatureList feature_list;
3032 feature_list.InitAndEnableFeature(
3033 TransportSecurityState::kDynamicExpectCTFeature);
3034
3035 TransportSecurityState state;
3036 MockExpectCTReporter reporter;
3037 state.SetExpectCTReporter(&reporter);
3038 state.AddExpectCT("example.test", expiry, true /* enforce */,
3039 GURL("https://example-report.test"));
3040 state.AddExpectCT("example-report-only.test", expiry, false /* enforce */,
3041 GURL("https://example-report.test"));
3042 state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */,
3043 GURL());
3044
3045 // Test that a connection to an unrelated host is not affected.
3046 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3047 state.CheckCTRequirements(
3048 HostPortPair("example2.test", 443), true, HashValueVector(),
3049 cert1.get(), cert2.get(), sct_list,
3050 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3051 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3052 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3053 state.CheckCTRequirements(
3054 HostPortPair("example2.test", 443), true, HashValueVector(),
3055 cert1.get(), cert2.get(), sct_list,
3056 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3057 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3058 EXPECT_EQ(0u, reporter.num_failures());
3059
3060 // A connection to an Expect-CT host should be closed and reported.
3061 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
3062 state.CheckCTRequirements(
3063 HostPortPair("example.test", 443), true, HashValueVector(),
3064 cert1.get(), cert2.get(), sct_list,
3065 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3066 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3067 EXPECT_EQ(1u, reporter.num_failures());
3068 EXPECT_EQ("example.test", reporter.host_port_pair().host());
3069 EXPECT_EQ(443, reporter.host_port_pair().port());
3070 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3071 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3072 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3073 EXPECT_EQ(sct_list[0].status,
3074 reporter.signed_certificate_timestamps()[0].status);
3075 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
3076
3077 // A compliant connection to an Expect-CT host should not be closed or
3078 // reported.
3079 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3080 state.CheckCTRequirements(
3081 HostPortPair("example.test", 443), true, HashValueVector(),
3082 cert1.get(), cert2.get(), sct_list,
3083 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3084 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS));
3085 EXPECT_EQ(1u, reporter.num_failures());
3086 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3087 state.CheckCTRequirements(
3088 HostPortPair("example.test", 443), true, HashValueVector(),
3089 cert1.get(), cert2.get(), sct_list,
3090 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3091 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY));
3092 EXPECT_EQ(1u, reporter.num_failures());
3093
3094 // A connection to a report-only host should be reported only.
3095 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3096 state.CheckCTRequirements(
3097 HostPortPair("example-report-only.test", 443), true,
3098 HashValueVector(), cert1.get(), cert2.get(), sct_list,
3099 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3100 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3101 EXPECT_EQ(2u, reporter.num_failures());
3102 EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host());
3103 EXPECT_EQ(443, reporter.host_port_pair().port());
3104 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3105 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3106 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3107 EXPECT_EQ(sct_list[0].status,
3108 reporter.signed_certificate_timestamps()[0].status);
3109 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
3110
3111 // A connection to an enforce-only host should be closed but not reported.
3112 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
3113 state.CheckCTRequirements(
3114 HostPortPair("example-enforce-only.test", 443), true,
3115 HashValueVector(), cert1.get(), cert2.get(), sct_list,
3116 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3117 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS));
3118 EXPECT_EQ(2u, reporter.num_failures());
3119
3120 // A connection with a private root should be neither enforced nor reported.
3121 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
3122 state.CheckCTRequirements(
3123 HostPortPair("example.test", 443), false, HashValueVector(),
3124 cert1.get(), cert2.get(), sct_list,
3125 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3126 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3127 EXPECT_EQ(2u, reporter.num_failures());
3128
3129 // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report.
3130 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
3131 state.CheckCTRequirements(
3132 HostPortPair("example.test", 443), true, HashValueVector(),
3133 cert1.get(), cert2.get(), sct_list,
3134 TransportSecurityState::DISABLE_EXPECT_CT_REPORTS,
3135 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3136 EXPECT_EQ(2u, reporter.num_failures());
3137 }
3138
3139 // Tests that for a host that requires CT by delegate and is also
3140 // Expect-CT-enabled, CheckCTRequirements() sends reports.
3141 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
3142 using ::testing::_;
3143 using ::testing::Return;
3144 using CTRequirementLevel =
3145 TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
3146
3147 const base::Time current_time(base::Time::Now());
3148 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
3149 scoped_refptr<X509Certificate> cert1 =
3150 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
3151 scoped_refptr<X509Certificate> cert2 =
3152 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
3153 ASSERT_TRUE(cert1);
3154 ASSERT_TRUE(cert2);
3155 SignedCertificateTimestampAndStatusList sct_list;
3156 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
3157 std::string(), std::string(), base::Time::Now(),
3158 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
3159
3160 base::test::ScopedFeatureList feature_list;
3161 feature_list.InitAndEnableFeature(
3162 TransportSecurityState::kDynamicExpectCTFeature);
3163
3164 TransportSecurityState state;
3165 MockExpectCTReporter reporter;
3166 state.SetExpectCTReporter(&reporter);
3167 state.AddExpectCT("example.test", expiry, false /* enforce */,
3168 GURL("https://example-report.test"));
3169
3170 // A connection to an Expect-CT host, which also requires CT by the delegate,
3171 // should be closed and reported.
3172 MockRequireCTDelegate always_require_delegate;
3173 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_))
3174 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
3175 state.SetRequireCTDelegate(&always_require_delegate);
3176 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
3177 state.CheckCTRequirements(
3178 HostPortPair("example.test", 443), true, HashValueVector(),
3179 cert1.get(), cert2.get(), sct_list,
3180 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
3181 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS));
3182 EXPECT_EQ(1u, reporter.num_failures());
3183 EXPECT_EQ("example.test", reporter.host_port_pair().host());
3184 EXPECT_EQ(443, reporter.host_port_pair().port());
3185 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
3186 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
3187 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
3188 EXPECT_EQ(sct_list[0].status,
3189 reporter.signed_certificate_timestamps()[0].status);
3190 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
2806 } 3191 }
2807 3192
2808 } // namespace net 3193 } // namespace net
OLDNEW
« no previous file with comments | « net/http/transport_security_state.cc ('k') | net/quic/chromium/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698