Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(764)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/url_request/url_request_unittest.cc

Issue 9663017: net: add OCSP tests. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/transport_security_state_unittest.cc ('K') | « net/tools/testserver/testserver.py ('k') | tools/mac/symbolicate_crash.py » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/url_request/url_request_unittest.cc
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index c0cbbf6eac282450f1faf942adcfebcd1e94ebad..e37f12a27b3a76c952b2525b834ee75f82e92f21 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -27,6 +27,7 @@
#include "base/string_util.h"
#include "base/stringprintf.h"
#include "base/utf_string_conversions.h"
+#include "net/base/cert_test_util.h"
#include "net/base/cookie_monster.h"
#include "net/base/cookie_store_test_helpers.h"
#include "net/base/load_flags.h"
@@ -37,6 +38,7 @@
#include "net/base/net_module.h"
#include "net/base/net_util.h"
#include "net/base/ssl_connection_status_flags.h"
+#include "net/base/test_root_certs.h"
#include "net/base/upload_data.h"
#include "net/disk_cache/disk_cache.h"
#include "net/ftp/ftp_network_layer.h"
@@ -45,6 +47,7 @@
#include "net/http/http_network_session.h"
#include "net/http/http_request_headers.h"
#include "net/http/http_response_headers.h"
+#include "net/ocsp/nss_ocsp.h"
#include "net/proxy/proxy_service.h"
#include "net/socket/ssl_client_socket.h"
#include "net/test/test_server.h"
@@ -1367,6 +1370,109 @@ TEST_F(HTTPSRequestTest, HTTPSExpiredTest) {
}
}
+class RevCheckedEnabledSSLConfigService : public SSLConfigService {
+ public:
+ virtual void GetSSLConfig(SSLConfig* config) {
+ *config = SSLConfig();
+ config->rev_checking_enabled = true;
+ config->verify_ev_cert = true;
+ }
+};
+
+class HTTPSOCSPTest : public HTTPSRequestTest {
+ public:
+ HTTPSOCSPTest()
+ : context_(new TestURLRequestContext(true)) {
+ context_->set_ssl_config_service(new RevCheckedEnabledSSLConfigService);
+ context_->Init();
+
+ scoped_refptr<net::X509Certificate> root_cert =
+ ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem");
+ CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert);
+ test_root_.reset(new ScopedTestRoot(root_cert));
+
+#if defined(USE_NSS)
+ EnsureOCSPInit();
+ SetURLRequestContextForOCSP(context_.get());
+#endif
+ }
+
+ void DoConnection(const TestServer::HTTPSOptions& https_options,
+ CertStatus* out_cert_status) {
+ TestServer test_server(https_options,
+ FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+ ASSERT_TRUE(test_server.Start());
+
+ TestDelegate d;
+ d.set_allow_certificate_errors(true);
+ URLRequest r(test_server.GetURL(""), &d);
+ r.set_context(context_.get());
+ r.Start();
+
+ MessageLoop::current()->Run();
+
+ EXPECT_EQ(1, d.response_started_count());
+ *out_cert_status = r.ssl_info().cert_status;
+ }
+
+ private:
+ scoped_ptr<ScopedTestRoot> test_root_;
+ scoped_refptr<TestURLRequestContext> context_;
+};
+
+#if !defined(OS_ANDROID) && !defined(USE_OPENSSL)
+// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
+TEST_F(HTTPSOCSPTest, OCSPValid) {
+ TestServer::HTTPSOptions https_options(TestServer::HTTPSOptions::OCSP_OK);
+
+ CertStatus cert_status;
+ DoConnection(https_options, &cert_status);
+ EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+
+#if defined(OS_MACOSX)
+ // On OS X, we use the system to tell us whether a certificate is EV or not
+ // and the system won't recognise our testing root.
+ EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
+#else
+ EXPECT_TRUE(cert_status & CERT_STATUS_IS_EV);
+#endif
+
+ EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_F(HTTPSOCSPTest, OCSPRevoked) {
+ TestServer::HTTPSOptions https_options(
+ TestServer::HTTPSOptions::OCSP_REVOKED);
+
+ CertStatus cert_status;
+ DoConnection(https_options, &cert_status);
+ EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
+ EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
+ EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+
+TEST_F(HTTPSOCSPTest, OCSPInvalid) {
+ TestServer::HTTPSOptions https_options(
+ TestServer::HTTPSOptions::OCSP_INVALID);
+
+ CertStatus cert_status;
+ DoConnection(https_options, &cert_status);
+
+#if defined(OS_WIN)
+ // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't
+ // have that ability on other platforms.
+ EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+ cert_status & CERT_STATUS_ALL_ERRORS);
+#else
+ EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+#endif
+
+ // Without a positive OCSP response, we shouldn't show the EV status.
+ EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
+ EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
+}
+#endif // !OS_ANDROID && !USE_OPENSSL
+
// This tests that a load of www.google.com with a certificate error sets
// the |certificate_errors_are_fatal| flag correctly. This flag will cause
// the interstitial to be fatal.
« net/base/transport_security_state_unittest.cc ('K') | « net/tools/testserver/testserver.py ('k') | tools/mac/symbolicate_crash.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698