OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
86 const char* const kBadPath[] = { | 86 const char* const kBadPath[] = { |
87 "sha1/111111111111111111111111111=", | 87 "sha1/111111111111111111111111111=", |
88 "sha1/222222222222222222222222222=", | 88 "sha1/222222222222222222222222222=", |
89 "sha1/333333333333333333333333333=", | 89 "sha1/333333333333333333333333333=", |
90 "sha256/1111111111111111111111111111111111111111111=", | 90 "sha256/1111111111111111111111111111111111111111111=", |
91 "sha256/2222222222222222222222222222222222222222222=", | 91 "sha256/2222222222222222222222222222222222222222222=", |
92 "sha256/3333333333333333333333333333333333333333333=", | 92 "sha256/3333333333333333333333333333333333333333333=", |
93 nullptr, | 93 nullptr, |
94 }; | 94 }; |
95 | 95 |
| 96 // Constructs a SignedCertificateTimestampAndStatus with the given information |
| 97 // and appends it to |sct_list|. |
| 98 void MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::Origin origin, |
| 99 const std::string& log_id, |
| 100 const std::string& extensions, |
| 101 const std::string& signature_data, |
| 102 const base::Time& timestamp, |
| 103 ct::SCTVerifyStatus status, |
| 104 SignedCertificateTimestampAndStatusList* sct_list) { |
| 105 scoped_refptr<net::ct::SignedCertificateTimestamp> sct( |
| 106 new net::ct::SignedCertificateTimestamp()); |
| 107 sct->version = net::ct::SignedCertificateTimestamp::V1; |
| 108 sct->log_id = log_id; |
| 109 sct->extensions = extensions; |
| 110 sct->timestamp = timestamp; |
| 111 sct->signature.signature_data = signature_data; |
| 112 sct->origin = origin; |
| 113 sct_list->push_back(net::SignedCertificateTimestampAndStatus(sct, status)); |
| 114 } |
| 115 |
96 // A mock ReportSenderInterface that just remembers the latest report | 116 // A mock ReportSenderInterface that just remembers the latest report |
97 // URI and report to be sent. | 117 // URI and report to be sent. |
98 class MockCertificateReportSender | 118 class MockCertificateReportSender |
99 : public TransportSecurityState::ReportSenderInterface { | 119 : public TransportSecurityState::ReportSenderInterface { |
100 public: | 120 public: |
101 MockCertificateReportSender() {} | 121 MockCertificateReportSender() {} |
102 ~MockCertificateReportSender() override {} | 122 ~MockCertificateReportSender() override {} |
103 | 123 |
104 void Send(const GURL& report_uri, | 124 void Send(const GURL& report_uri, |
105 base::StringPiece content_type, | 125 base::StringPiece content_type, |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 | 174 |
155 // A mock ExpectCTReporter that remembers the latest violation that was | 175 // A mock ExpectCTReporter that remembers the latest violation that was |
156 // reported and the number of violations reported. | 176 // reported and the number of violations reported. |
157 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | 177 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
158 public: | 178 public: |
159 MockExpectCTReporter() : num_failures_(0) {} | 179 MockExpectCTReporter() : num_failures_(0) {} |
160 ~MockExpectCTReporter() override {} | 180 ~MockExpectCTReporter() override {} |
161 | 181 |
162 void OnExpectCTFailed(const HostPortPair& host_port_pair, | 182 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
163 const GURL& report_uri, | 183 const GURL& report_uri, |
164 const net::SSLInfo& ssl_info) override { | 184 const X509Certificate* validated_certificate_chain, |
| 185 const X509Certificate* served_certificate_chain, |
| 186 const SignedCertificateTimestampAndStatusList& |
| 187 signed_certificate_timestamps) override { |
165 num_failures_++; | 188 num_failures_++; |
166 host_port_pair_ = host_port_pair; | 189 host_port_pair_ = host_port_pair; |
167 report_uri_ = report_uri; | 190 report_uri_ = report_uri; |
168 ssl_info_ = ssl_info; | 191 served_certificate_chain_ = served_certificate_chain; |
| 192 validated_certificate_chain_ = validated_certificate_chain; |
| 193 signed_certificate_timestamps_ = signed_certificate_timestamps; |
169 } | 194 } |
170 | 195 |
171 const HostPortPair& host_port_pair() { return host_port_pair_; } | 196 const HostPortPair& host_port_pair() { return host_port_pair_; } |
172 const GURL& report_uri() { return report_uri_; } | 197 const GURL& report_uri() { return report_uri_; } |
173 const SSLInfo& ssl_info() { return ssl_info_; } | |
174 uint32_t num_failures() { return num_failures_; } | 198 uint32_t num_failures() { return num_failures_; } |
| 199 const X509Certificate* served_certificate_chain() { |
| 200 return served_certificate_chain_; |
| 201 } |
| 202 const X509Certificate* validated_certificate_chain() { |
| 203 return validated_certificate_chain_; |
| 204 } |
| 205 const SignedCertificateTimestampAndStatusList& |
| 206 signed_certificate_timestamps() { |
| 207 return signed_certificate_timestamps_; |
| 208 } |
175 | 209 |
176 private: | 210 private: |
177 HostPortPair host_port_pair_; | 211 HostPortPair host_port_pair_; |
178 GURL report_uri_; | 212 GURL report_uri_; |
179 SSLInfo ssl_info_; | |
180 uint32_t num_failures_; | 213 uint32_t num_failures_; |
| 214 const X509Certificate* served_certificate_chain_; |
| 215 const X509Certificate* validated_certificate_chain_; |
| 216 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; |
181 }; | 217 }; |
182 | 218 |
183 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { | 219 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { |
184 public: | 220 public: |
185 MOCK_METHOD1(IsCTRequiredForHost, | 221 MOCK_METHOD1(IsCTRequiredForHost, |
186 CTRequirementLevel(const std::string& hostname)); | 222 CTRequirementLevel(const std::string& hostname)); |
187 }; | 223 }; |
188 | 224 |
189 void CompareCertificateChainWithList( | 225 void CompareCertificateChainWithList( |
190 const scoped_refptr<X509Certificate>& cert_chain, | 226 const scoped_refptr<X509Certificate>& cert_chain, |
(...skipping 1828 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2019 | 2055 |
2020 // Tests that the Expect CT reporter is notified for noncompliant | 2056 // Tests that the Expect CT reporter is notified for noncompliant |
2021 // connections. | 2057 // connections. |
2022 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { | 2058 TEST_F(TransportSecurityStateTest, ExpectCTReporter) { |
2023 HostPortPair host_port(kExpectCTStaticHostname, 443); | 2059 HostPortPair host_port(kExpectCTStaticHostname, 443); |
2024 SSLInfo ssl_info; | 2060 SSLInfo ssl_info; |
2025 ssl_info.ct_compliance_details_available = true; | 2061 ssl_info.ct_compliance_details_available = true; |
2026 ssl_info.ct_cert_policy_compliance = | 2062 ssl_info.ct_cert_policy_compliance = |
2027 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; | 2063 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS; |
2028 ssl_info.is_issued_by_known_root = true; | 2064 ssl_info.is_issued_by_known_root = true; |
| 2065 scoped_refptr<X509Certificate> cert1 = |
| 2066 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2067 scoped_refptr<X509Certificate> cert2 = |
| 2068 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2069 ASSERT_TRUE(cert1); |
| 2070 ASSERT_TRUE(cert2); |
| 2071 ssl_info.unverified_cert = cert1; |
| 2072 ssl_info.cert = cert2; |
| 2073 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2074 std::string(), std::string(), base::Time::Now(), |
| 2075 ct::SCT_STATUS_INVALID_SIGNATURE, |
| 2076 &ssl_info.signed_certificate_timestamps); |
2029 | 2077 |
2030 TransportSecurityState state; | 2078 TransportSecurityState state; |
2031 TransportSecurityStateTest::EnableStaticExpectCT(&state); | 2079 TransportSecurityStateTest::EnableStaticExpectCT(&state); |
2032 MockExpectCTReporter reporter; | 2080 MockExpectCTReporter reporter; |
2033 state.SetExpectCTReporter(&reporter); | 2081 state.SetExpectCTReporter(&reporter); |
2034 state.ProcessExpectCTHeader("preload", host_port, ssl_info); | 2082 state.ProcessExpectCTHeader("preload", host_port, ssl_info); |
2035 EXPECT_EQ(1u, reporter.num_failures()); | 2083 EXPECT_EQ(1u, reporter.num_failures()); |
2036 EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available); | |
2037 EXPECT_EQ(ssl_info.ct_cert_policy_compliance, | |
2038 reporter.ssl_info().ct_cert_policy_compliance); | |
2039 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); | 2084 EXPECT_EQ(host_port.host(), reporter.host_port_pair().host()); |
2040 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); | 2085 EXPECT_EQ(host_port.port(), reporter.host_port_pair().port()); |
2041 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); | 2086 EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri()); |
| 2087 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 2088 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 2089 EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(), |
| 2090 reporter.signed_certificate_timestamps().size()); |
| 2091 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status, |
| 2092 reporter.signed_certificate_timestamps()[0].status); |
| 2093 EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct, |
| 2094 reporter.signed_certificate_timestamps()[0].sct); |
2042 } | 2095 } |
2043 | 2096 |
2044 // Simple test for the HSTS preload process. The trie (generated from | 2097 // Simple test for the HSTS preload process. The trie (generated from |
2045 // transport_security_state_static_unittest1.json) contains 1 entry. Test that | 2098 // transport_security_state_static_unittest1.json) contains 1 entry. Test that |
2046 // the lookup methods can find the entry and correctly decode the different | 2099 // the lookup methods can find the entry and correctly decode the different |
2047 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). | 2100 // preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple). |
2048 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { | 2101 TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { |
2049 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); | 2102 SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource); |
2050 | 2103 |
2051 TransportSecurityState state; | 2104 TransportSecurityState state; |
(...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2501 scoped_refptr<X509Certificate> cert = | 2554 scoped_refptr<X509Certificate> cert = |
2502 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); | 2555 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
2503 ASSERT_TRUE(cert); | 2556 ASSERT_TRUE(cert); |
2504 | 2557 |
2505 HashValueVector hashes; | 2558 HashValueVector hashes; |
2506 hashes.push_back(HashValue( | 2559 hashes.push_back(HashValue( |
2507 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); | 2560 X509Certificate::CalculateFingerprint256(cert->os_cert_handle()))); |
2508 | 2561 |
2509 { | 2562 { |
2510 TransportSecurityState state; | 2563 TransportSecurityState state; |
2511 bool original_status = | 2564 const TransportSecurityState::CTRequirementsStatus original_status = |
2512 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2565 state.CheckCTRequirements( |
| 2566 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2567 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2568 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2569 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); |
2513 | 2570 |
2514 MockRequireCTDelegate always_require_delegate; | 2571 MockRequireCTDelegate always_require_delegate; |
2515 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) | 2572 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
2516 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); | 2573 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
2517 state.SetRequireCTDelegate(&always_require_delegate); | 2574 state.SetRequireCTDelegate(&always_require_delegate); |
2518 EXPECT_TRUE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2575 EXPECT_EQ( |
| 2576 TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2577 state.CheckCTRequirements( |
| 2578 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2579 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2580 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2581 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2582 EXPECT_EQ( |
| 2583 TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2584 state.CheckCTRequirements( |
| 2585 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2586 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2587 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2588 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 2589 EXPECT_EQ( |
| 2590 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2591 state.CheckCTRequirements( |
| 2592 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2593 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2594 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2595 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 2596 EXPECT_EQ( |
| 2597 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2598 state.CheckCTRequirements( |
| 2599 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2600 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2601 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2602 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); |
2519 | 2603 |
2520 state.SetRequireCTDelegate(nullptr); | 2604 state.SetRequireCTDelegate(nullptr); |
2521 EXPECT_EQ(original_status, | 2605 EXPECT_EQ( |
2522 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2606 original_status, |
| 2607 state.CheckCTRequirements( |
| 2608 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2609 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2610 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2611 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2523 } | 2612 } |
2524 | 2613 |
2525 { | 2614 { |
2526 TransportSecurityState state; | 2615 TransportSecurityState state; |
2527 bool original_status = | 2616 const TransportSecurityState::CTRequirementsStatus original_status = |
2528 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2617 state.CheckCTRequirements( |
| 2618 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2619 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2620 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2621 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); |
2529 | 2622 |
2530 MockRequireCTDelegate never_require_delegate; | 2623 MockRequireCTDelegate never_require_delegate; |
2531 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) | 2624 EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_)) |
2532 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); | 2625 .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED)); |
2533 state.SetRequireCTDelegate(&never_require_delegate); | 2626 state.SetRequireCTDelegate(&never_require_delegate); |
2534 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2627 EXPECT_EQ( |
| 2628 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2629 state.CheckCTRequirements( |
| 2630 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2631 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2632 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2633 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2634 EXPECT_EQ( |
| 2635 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2636 state.CheckCTRequirements( |
| 2637 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2638 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2639 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2640 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
2535 | 2641 |
2536 state.SetRequireCTDelegate(nullptr); | 2642 state.SetRequireCTDelegate(nullptr); |
2537 EXPECT_EQ(original_status, | 2643 EXPECT_EQ( |
2538 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2644 original_status, |
| 2645 state.CheckCTRequirements( |
| 2646 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2647 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2648 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2649 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2539 } | 2650 } |
2540 | 2651 |
2541 { | 2652 { |
2542 TransportSecurityState state; | 2653 TransportSecurityState state; |
2543 bool original_status = | 2654 const TransportSecurityState::CTRequirementsStatus original_status = |
2544 state.ShouldRequireCT("www.example.com", cert.get(), hashes); | 2655 state.CheckCTRequirements( |
| 2656 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2657 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2658 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2659 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS); |
2545 | 2660 |
2546 MockRequireCTDelegate default_require_ct_delegate; | 2661 MockRequireCTDelegate default_require_ct_delegate; |
2547 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) | 2662 EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_)) |
2548 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); | 2663 .WillRepeatedly(Return(CTRequirementLevel::DEFAULT)); |
2549 state.SetRequireCTDelegate(&default_require_ct_delegate); | 2664 state.SetRequireCTDelegate(&default_require_ct_delegate); |
2550 EXPECT_EQ(original_status, | 2665 EXPECT_EQ( |
2551 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2666 original_status, |
| 2667 state.CheckCTRequirements( |
| 2668 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2669 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2670 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2671 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2552 | 2672 |
2553 state.SetRequireCTDelegate(nullptr); | 2673 state.SetRequireCTDelegate(nullptr); |
2554 EXPECT_EQ(original_status, | 2674 EXPECT_EQ( |
2555 state.ShouldRequireCT("www.example.com", cert.get(), hashes)); | 2675 original_status, |
| 2676 state.CheckCTRequirements( |
| 2677 HostPortPair("www.example.com", 443), true, hashes, cert.get(), |
| 2678 cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2679 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2680 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2556 } | 2681 } |
2557 } | 2682 } |
2558 | 2683 |
2559 // Tests that Certificate Transparency is required for Symantec-issued | 2684 // Tests that Certificate Transparency is required for Symantec-issued |
2560 // certificates, unless the certificate was issued prior to 1 June 2016 | 2685 // certificates, unless the certificate was issued prior to 1 June 2016 |
2561 // or the issuing CA is whitelisted as independently operated. | 2686 // or the issuing CA is whitelisted as independently operated. |
2562 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { | 2687 TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { |
2563 // Test certificates before and after the 1 June 2016 deadline. | 2688 // Test certificates before and after the 1 June 2016 deadline. |
2564 scoped_refptr<X509Certificate> before_cert = | 2689 scoped_refptr<X509Certificate> before_cert = |
2565 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); | 2690 ImportCertFromFile(GetTestCertsDirectory(), "pre_june_2016.pem"); |
(...skipping 11 matching lines...) Expand all Loading... |
2577 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, | 2702 0x68, 0xac, 0x53, 0x8e, 0x40, 0xab, 0xab, 0x5b, 0x19, 0xa6, 0x48, |
2578 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; | 2703 0x56, 0x61, 0x04, 0x2a, 0x10, 0x61, 0xc4, 0x61, 0x27, 0x76}}; |
2579 | 2704 |
2580 TransportSecurityState state; | 2705 TransportSecurityState state; |
2581 | 2706 |
2582 HashValueVector hashes; | 2707 HashValueVector hashes; |
2583 hashes.push_back(HashValue(symantec_hash_value)); | 2708 hashes.push_back(HashValue(symantec_hash_value)); |
2584 | 2709 |
2585 // Certificates issued by Symantec prior to 1 June 2016 should not | 2710 // Certificates issued by Symantec prior to 1 June 2016 should not |
2586 // be required to be disclosed via CT. | 2711 // be required to be disclosed via CT. |
2587 EXPECT_FALSE( | 2712 EXPECT_EQ( |
2588 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2713 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2714 state.CheckCTRequirements( |
| 2715 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
| 2716 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2717 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2718 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2589 | 2719 |
2590 // ... but certificates issued after 1 June 2016 are required to be... | 2720 // ... but certificates issued after 1 June 2016 are required to be... |
2591 EXPECT_TRUE( | 2721 EXPECT_EQ( |
2592 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2722 TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2723 state.CheckCTRequirements( |
| 2724 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2725 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2726 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2727 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2728 EXPECT_EQ( |
| 2729 TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 2730 state.CheckCTRequirements( |
| 2731 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2732 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2733 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2734 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 2735 EXPECT_EQ( |
| 2736 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2737 state.CheckCTRequirements( |
| 2738 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2739 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2740 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2741 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); |
| 2742 EXPECT_EQ( |
| 2743 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2744 state.CheckCTRequirements( |
| 2745 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2746 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2747 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2748 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
2593 | 2749 |
2594 // ... unless they were issued by an excluded intermediate. | 2750 // ... unless they were issued by an excluded intermediate. |
2595 hashes.push_back(HashValue(google_hash_value)); | 2751 hashes.push_back(HashValue(google_hash_value)); |
2596 EXPECT_FALSE( | 2752 EXPECT_EQ( |
2597 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2753 TransportSecurityState::CT_REQUIREMENTS_MET, |
2598 EXPECT_FALSE( | 2754 state.CheckCTRequirements( |
2599 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2755 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
| 2756 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2757 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2758 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2759 EXPECT_EQ( |
| 2760 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2761 state.CheckCTRequirements( |
| 2762 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2763 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2764 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2765 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2600 | 2766 |
2601 // And other certificates should remain unaffected. | 2767 // And other certificates should remain unaffected. |
2602 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; | 2768 SHA256HashValue unrelated_hash_value = {{0x01, 0x02}}; |
2603 HashValueVector unrelated_hashes; | 2769 HashValueVector unrelated_hashes; |
2604 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); | 2770 unrelated_hashes.push_back(HashValue(unrelated_hash_value)); |
2605 | 2771 |
2606 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", before_cert.get(), | 2772 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
2607 unrelated_hashes)); | 2773 state.CheckCTRequirements( |
2608 EXPECT_FALSE(state.ShouldRequireCT("www.example.com", after_cert.get(), | 2774 HostPortPair("www.example.com", 443), true, unrelated_hashes, |
2609 unrelated_hashes)); | 2775 before_cert.get(), before_cert.get(), |
| 2776 SignedCertificateTimestampAndStatusList(), |
| 2777 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2778 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2779 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2780 state.CheckCTRequirements( |
| 2781 HostPortPair("www.example.com", 443), true, unrelated_hashes, |
| 2782 after_cert.get(), after_cert.get(), |
| 2783 SignedCertificateTimestampAndStatusList(), |
| 2784 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2785 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2610 | 2786 |
2611 // And the emergency field trial should disable the requirement, if | 2787 // And the emergency field trial should disable the requirement, if |
2612 // necessary. | 2788 // necessary. |
2613 hashes.clear(); | 2789 hashes.clear(); |
2614 hashes.push_back(HashValue(symantec_hash_value)); | 2790 hashes.push_back(HashValue(symantec_hash_value)); |
2615 base::FieldTrialList field_trial_list( | 2791 base::FieldTrialList field_trial_list( |
2616 base::MakeUnique<base::MockEntropyProvider>()); | 2792 base::MakeUnique<base::MockEntropyProvider>()); |
2617 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", | 2793 base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots", |
2618 "disabled"); | 2794 "disabled"); |
2619 | 2795 |
2620 EXPECT_FALSE( | 2796 EXPECT_EQ( |
2621 state.ShouldRequireCT("www.example.com", before_cert.get(), hashes)); | 2797 TransportSecurityState::CT_REQUIREMENTS_MET, |
2622 EXPECT_FALSE( | 2798 state.CheckCTRequirements( |
2623 state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); | 2799 HostPortPair("www.example.com", 443), true, hashes, before_cert.get(), |
| 2800 before_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2801 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2802 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 2803 EXPECT_EQ( |
| 2804 TransportSecurityState::CT_REQUIREMENTS_MET, |
| 2805 state.CheckCTRequirements( |
| 2806 HostPortPair("www.example.com", 443), true, hashes, after_cert.get(), |
| 2807 after_cert.get(), SignedCertificateTimestampAndStatusList(), |
| 2808 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 2809 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
2624 } | 2810 } |
2625 | 2811 |
2626 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). | 2812 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
2627 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { | 2813 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
2628 base::test::ScopedFeatureList feature_list; | 2814 base::test::ScopedFeatureList feature_list; |
2629 feature_list.InitAndEnableFeature( | 2815 feature_list.InitAndEnableFeature( |
2630 TransportSecurityState::kDynamicExpectCTFeature); | 2816 TransportSecurityState::kDynamicExpectCTFeature); |
2631 const std::string host("example.test"); | 2817 const std::string host("example.test"); |
2632 TransportSecurityState state; | 2818 TransportSecurityState state; |
2633 TransportSecurityState::ExpectCTState expect_ct_state; | 2819 TransportSecurityState::ExpectCTState expect_ct_state; |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2777 MockExpectCTReporter reporter; | 2963 MockExpectCTReporter reporter; |
2778 state.SetExpectCTReporter(&reporter); | 2964 state.SetExpectCTReporter(&reporter); |
2779 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 2965 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2780 TransportSecurityState::ExpectCTState expect_ct_state; | 2966 TransportSecurityState::ExpectCTState expect_ct_state; |
2781 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 2967 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2782 EXPECT_EQ(0u, reporter.num_failures()); | 2968 EXPECT_EQ(0u, reporter.num_failures()); |
2783 } | 2969 } |
2784 | 2970 |
2785 // Tests that Expect-CT reports are sent when an Expect-CT header is received | 2971 // Tests that Expect-CT reports are sent when an Expect-CT header is received |
2786 // over a non-compliant connection. | 2972 // over a non-compliant connection. |
2787 TEST_F(TransportSecurityStateTest, DynamicExpectCTNonCompliant) { | 2973 TEST_F(TransportSecurityStateTest, |
| 2974 DynamicExpectCTHeaderProcessingNonCompliant) { |
2788 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; | 2975 const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\""; |
2789 SSLInfo ssl; | 2976 SSLInfo ssl; |
2790 ssl.is_issued_by_known_root = true; | 2977 ssl.is_issued_by_known_root = true; |
2791 ssl.ct_compliance_details_available = true; | 2978 ssl.ct_compliance_details_available = true; |
2792 ssl.ct_cert_policy_compliance = | 2979 ssl.ct_cert_policy_compliance = |
2793 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; | 2980 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS; |
| 2981 scoped_refptr<X509Certificate> cert1 = |
| 2982 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 2983 scoped_refptr<X509Certificate> cert2 = |
| 2984 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 2985 ASSERT_TRUE(cert1); |
| 2986 ASSERT_TRUE(cert2); |
| 2987 ssl.unverified_cert = cert1; |
| 2988 ssl.cert = cert2; |
| 2989 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 2990 std::string(), std::string(), base::Time::Now(), |
| 2991 ct::SCT_STATUS_INVALID_SIGNATURE, |
| 2992 &ssl.signed_certificate_timestamps); |
2794 | 2993 |
2795 base::test::ScopedFeatureList feature_list; | 2994 base::test::ScopedFeatureList feature_list; |
2796 feature_list.InitAndEnableFeature( | 2995 feature_list.InitAndEnableFeature( |
2797 TransportSecurityState::kDynamicExpectCTFeature); | 2996 TransportSecurityState::kDynamicExpectCTFeature); |
2798 TransportSecurityState state; | 2997 TransportSecurityState state; |
2799 MockExpectCTReporter reporter; | 2998 MockExpectCTReporter reporter; |
2800 state.SetExpectCTReporter(&reporter); | 2999 state.SetExpectCTReporter(&reporter); |
2801 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); | 3000 state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl); |
2802 TransportSecurityState::ExpectCTState expect_ct_state; | 3001 TransportSecurityState::ExpectCTState expect_ct_state; |
2803 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); | 3002 EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state)); |
2804 EXPECT_EQ(1u, reporter.num_failures()); | 3003 EXPECT_EQ(1u, reporter.num_failures()); |
2805 EXPECT_EQ("example.test", reporter.host_port_pair().host()); | 3004 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3005 EXPECT_EQ(cert1.get(), reporter.served_certificate_chain()); |
| 3006 EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain()); |
| 3007 EXPECT_EQ(ssl.signed_certificate_timestamps.size(), |
| 3008 reporter.signed_certificate_timestamps().size()); |
| 3009 EXPECT_EQ(ssl.signed_certificate_timestamps[0].status, |
| 3010 reporter.signed_certificate_timestamps()[0].status); |
| 3011 EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct, |
| 3012 reporter.signed_certificate_timestamps()[0].sct); |
| 3013 } |
| 3014 |
| 3015 // Tests that CheckCTRequirements() returns false if a connection to a host |
| 3016 // violates an Expect-CT header, and that it reports violations. |
| 3017 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) { |
| 3018 const base::Time current_time(base::Time::Now()); |
| 3019 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 3020 scoped_refptr<X509Certificate> cert1 = |
| 3021 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 3022 scoped_refptr<X509Certificate> cert2 = |
| 3023 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 3024 ASSERT_TRUE(cert1); |
| 3025 ASSERT_TRUE(cert2); |
| 3026 SignedCertificateTimestampAndStatusList sct_list; |
| 3027 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 3028 std::string(), std::string(), base::Time::Now(), |
| 3029 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); |
| 3030 |
| 3031 base::test::ScopedFeatureList feature_list; |
| 3032 feature_list.InitAndEnableFeature( |
| 3033 TransportSecurityState::kDynamicExpectCTFeature); |
| 3034 |
| 3035 TransportSecurityState state; |
| 3036 MockExpectCTReporter reporter; |
| 3037 state.SetExpectCTReporter(&reporter); |
| 3038 state.AddExpectCT("example.test", expiry, true /* enforce */, |
| 3039 GURL("https://example-report.test")); |
| 3040 state.AddExpectCT("example-report-only.test", expiry, false /* enforce */, |
| 3041 GURL("https://example-report.test")); |
| 3042 state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */, |
| 3043 GURL()); |
| 3044 |
| 3045 // Test that a connection to an unrelated host is not affected. |
| 3046 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3047 state.CheckCTRequirements( |
| 3048 HostPortPair("example2.test", 443), true, HashValueVector(), |
| 3049 cert1.get(), cert2.get(), sct_list, |
| 3050 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3051 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3052 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3053 state.CheckCTRequirements( |
| 3054 HostPortPair("example2.test", 443), true, HashValueVector(), |
| 3055 cert1.get(), cert2.get(), sct_list, |
| 3056 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3057 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 3058 EXPECT_EQ(0u, reporter.num_failures()); |
| 3059 |
| 3060 // A connection to an Expect-CT host should be closed and reported. |
| 3061 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3062 state.CheckCTRequirements( |
| 3063 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3064 cert1.get(), cert2.get(), sct_list, |
| 3065 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3066 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3067 EXPECT_EQ(1u, reporter.num_failures()); |
| 3068 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3069 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3070 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3071 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3072 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3073 EXPECT_EQ(sct_list[0].status, |
| 3074 reporter.signed_certificate_timestamps()[0].status); |
| 3075 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 3076 |
| 3077 // A compliant connection to an Expect-CT host should not be closed or |
| 3078 // reported. |
| 3079 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3080 state.CheckCTRequirements( |
| 3081 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3082 cert1.get(), cert2.get(), sct_list, |
| 3083 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3084 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 3085 EXPECT_EQ(1u, reporter.num_failures()); |
| 3086 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3087 state.CheckCTRequirements( |
| 3088 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3089 cert1.get(), cert2.get(), sct_list, |
| 3090 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3091 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); |
| 3092 EXPECT_EQ(1u, reporter.num_failures()); |
| 3093 |
| 3094 // A connection to a report-only host should be reported only. |
| 3095 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3096 state.CheckCTRequirements( |
| 3097 HostPortPair("example-report-only.test", 443), true, |
| 3098 HashValueVector(), cert1.get(), cert2.get(), sct_list, |
| 3099 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3100 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 3101 EXPECT_EQ(2u, reporter.num_failures()); |
| 3102 EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host()); |
| 3103 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3104 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3105 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3106 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3107 EXPECT_EQ(sct_list[0].status, |
| 3108 reporter.signed_certificate_timestamps()[0].status); |
| 3109 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
| 3110 |
| 3111 // A connection to an enforce-only host should be closed but not reported. |
| 3112 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3113 state.CheckCTRequirements( |
| 3114 HostPortPair("example-enforce-only.test", 443), true, |
| 3115 HashValueVector(), cert1.get(), cert2.get(), sct_list, |
| 3116 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3117 ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 3118 EXPECT_EQ(2u, reporter.num_failures()); |
| 3119 |
| 3120 // A connection with a private root should be neither enforced nor reported. |
| 3121 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET, |
| 3122 state.CheckCTRequirements( |
| 3123 HostPortPair("example.test", 443), false, HashValueVector(), |
| 3124 cert1.get(), cert2.get(), sct_list, |
| 3125 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3126 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3127 EXPECT_EQ(2u, reporter.num_failures()); |
| 3128 |
| 3129 // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report. |
| 3130 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3131 state.CheckCTRequirements( |
| 3132 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3133 cert1.get(), cert2.get(), sct_list, |
| 3134 TransportSecurityState::DISABLE_EXPECT_CT_REPORTS, |
| 3135 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3136 EXPECT_EQ(2u, reporter.num_failures()); |
| 3137 } |
| 3138 |
| 3139 // Tests that for a host that requires CT by delegate and is also |
| 3140 // Expect-CT-enabled, CheckCTRequirements() sends reports. |
| 3141 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) { |
| 3142 using ::testing::_; |
| 3143 using ::testing::Return; |
| 3144 using CTRequirementLevel = |
| 3145 TransportSecurityState::RequireCTDelegate::CTRequirementLevel; |
| 3146 |
| 3147 const base::Time current_time(base::Time::Now()); |
| 3148 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 3149 scoped_refptr<X509Certificate> cert1 = |
| 3150 ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem"); |
| 3151 scoped_refptr<X509Certificate> cert2 = |
| 3152 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"); |
| 3153 ASSERT_TRUE(cert1); |
| 3154 ASSERT_TRUE(cert2); |
| 3155 SignedCertificateTimestampAndStatusList sct_list; |
| 3156 MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log", |
| 3157 std::string(), std::string(), base::Time::Now(), |
| 3158 ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list); |
| 3159 |
| 3160 base::test::ScopedFeatureList feature_list; |
| 3161 feature_list.InitAndEnableFeature( |
| 3162 TransportSecurityState::kDynamicExpectCTFeature); |
| 3163 |
| 3164 TransportSecurityState state; |
| 3165 MockExpectCTReporter reporter; |
| 3166 state.SetExpectCTReporter(&reporter); |
| 3167 state.AddExpectCT("example.test", expiry, false /* enforce */, |
| 3168 GURL("https://example-report.test")); |
| 3169 |
| 3170 // A connection to an Expect-CT host, which also requires CT by the delegate, |
| 3171 // should be closed and reported. |
| 3172 MockRequireCTDelegate always_require_delegate; |
| 3173 EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_)) |
| 3174 .WillRepeatedly(Return(CTRequirementLevel::REQUIRED)); |
| 3175 state.SetRequireCTDelegate(&always_require_delegate); |
| 3176 EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET, |
| 3177 state.CheckCTRequirements( |
| 3178 HostPortPair("example.test", 443), true, HashValueVector(), |
| 3179 cert1.get(), cert2.get(), sct_list, |
| 3180 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 3181 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3182 EXPECT_EQ(1u, reporter.num_failures()); |
| 3183 EXPECT_EQ("example.test", reporter.host_port_pair().host()); |
| 3184 EXPECT_EQ(443, reporter.host_port_pair().port()); |
| 3185 EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain()); |
| 3186 EXPECT_EQ(cert2.get(), reporter.served_certificate_chain()); |
| 3187 EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size()); |
| 3188 EXPECT_EQ(sct_list[0].status, |
| 3189 reporter.signed_certificate_timestamps()[0].status); |
| 3190 EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct); |
2806 } | 3191 } |
2807 | 3192 |
2808 } // namespace net | 3193 } // namespace net |
OLD | NEW |