Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1173)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/spdy/chromium/spdy_session_unittest.cc

Issue 2850033002: Check Expect-CT at connection setup (Closed)
Patch Set: fix comment typo Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/spdy/chromium/spdy_session.cc ('k') | net/url_request/url_request_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/spdy/chromium/spdy_session_unittest.cc
diff --git a/net/spdy/chromium/spdy_session_unittest.cc b/net/spdy/chromium/spdy_session_unittest.cc
index 57bfa214e1010e232bae6f905a18afe32b0f58f3..dbd985ddf4c8e3ef4b490e8b8287b1f0ee27ab13 100644
--- a/net/spdy/chromium/spdy_session_unittest.cc
+++ b/net/spdy/chromium/spdy_session_unittest.cc
@@ -5945,6 +5945,49 @@ TEST(CanPoolTest, CanPool) {
&tss, ssl_info, "www.example.org", "mail.google.com"));
}
+TEST(CanPoolTest, CanPoolExpectCT) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndEnableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
+ // Load a cert that is valid for:
+ // www.example.org
+ // mail.example.org
+ // mail.example.com
+
+ TransportSecurityState tss;
+ SSLInfo ssl_info;
+ ssl_info.cert =
+ ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+ ssl_info.unverified_cert = ssl_info.cert;
+ ssl_info.ct_cert_policy_compliance =
+ ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+ ssl_info.is_issued_by_known_root = true;
+
+ EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+ "www.example.org"));
+
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+ ssl_info.ct_cert_policy_compliance =
+ ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+
+ // A different Expect-CT enabled host should not be allowed to pool.
+ tss.AddExpectCT("mail.example.org", expiry, true, GURL());
+ EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+ "mail.example.org"));
+ // A report-only Expect-CT configuration should not prevent pooling.
+ tss.AddExpectCT("mail.example.org", expiry, false,
+ GURL("https://report.test"));
+ EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+ "mail.example.org"));
+ // If Expect-CT becomes enabled for the same host for which the connection was
+ // already made, subsequent connections to that host should not be allowed to
+ // pool.
+ tss.AddExpectCT("www.example.org", expiry, true, GURL());
+ EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+ "www.example.org"));
+}
+
TEST(CanPoolTest, CanNotPoolWithCertErrors) {
// Load a cert that is valid for:
// www.example.org
« no previous file with comments | « net/spdy/chromium/spdy_session.cc ('k') | net/url_request/url_request_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698