Chromium Code Reviews Chromium Code Reviews
Issue 9699043:
net: fallback to online revocation checks for EV status when CRLSet has expired. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/url_request/url_request_unittest.cc |
| diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
| index ac6c31c462f78c5e3b6f8d0d323ac64c0de79bd1..c723928f538c2cba63f1fb32d1962db2e7db057a 100644 |
| --- a/net/url_request/url_request_unittest.cc |
| +++ b/net/url_request/url_request_unittest.cc |
| @@ -1371,14 +1371,8 @@ TEST_F(HTTPSRequestTest, HTTPSExpiredTest) { |
| } |
| } |
| -class RevCheckedEnabledSSLConfigService : public SSLConfigService { |
| - public: |
| - virtual void GetSSLConfig(SSLConfig* config) { |
| - *config = SSLConfig(); |
| - config->rev_checking_enabled = true; |
| - config->verify_ev_cert = true; |
| - } |
| -}; |
| +#if !defined(OS_ANDROID) && !defined(USE_OPENSSL) |
| +// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| // This the fingerprint of the "Testing CA" certificate used by the testserver. |
| // See net/data/ssl/certificates/ocsp-test-root.pem. |
| @@ -1397,7 +1391,10 @@ class HTTPSOCSPTest : public HTTPSRequestTest { |
| ev_test_policy_(EVRootCAMetadata::GetInstance(), |
| kOCSPTestCertFingerprint, |
| kOCSPTestCertPolicy) { |
| - context_->set_ssl_config_service(new RevCheckedEnabledSSLConfigService); |
| + } |
| + |
| + virtual void SetUp() OVERRIDE { |
| + InitContext(context_); |
| context_->Init(); |
|
wtc
2012/03/16 00:33:10
InitContext(context_) and context_->Init() sound t
agl
2012/03/20 20:02:19
Changed to SetupContext.
|
| scoped_refptr<net::X509Certificate> root_cert = |
| @@ -1435,14 +1432,52 @@ class HTTPSOCSPTest : public HTTPSRequestTest { |
| #endif |
| } |
| - private: |
| + protected: |
| + class RevCheckedEnabledSSLConfigService : public SSLConfigService { |
| + public: |
| + virtual void GetSSLConfig(SSLConfig* config) { |
| + *config = SSLConfig(); |
| + config->rev_checking_enabled = true; |
| + config->verify_ev_cert = true; |
| + } |
| + }; |
| + |
| + // InitContext configures the URLRequestContext that will be used for making |
| + // connetions to testserver. This can be overridden in test subclasses for |
| + // different behaviour. |
| + virtual void InitContext(URLRequestContext* context) { |
| + context->set_ssl_config_service(new RevCheckedEnabledSSLConfigService); |
| + } |
| + |
| scoped_ptr<ScopedTestRoot> test_root_; |
| scoped_refptr<TestURLRequestContext> context_; |
| ScopedTestEVPolicy ev_test_policy_; |
| }; |
| -#if !defined(OS_ANDROID) && !defined(USE_OPENSSL) |
| -// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. |
| +static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { |
| +#if defined(OS_WIN) |
| + // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| + // have that ability on other platforms. |
| + return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| +#else |
| + return 0; |
| +#endif |
| +} |
| + |
| +// SystemUsesChromiumEVMetadata returns true iff the current operating system |
| +// uses Chromium's EV metadata (i.e. EVRootCAMetadata). If it does not, then |
| +// several tests are effected because our testing EV certificate won't be |
| +// recognised as EV. |
| +static bool SystemUsesChromiumEVMetadata() { |
| +#if defined(OS_MACOSX) |
| + // On OS X, we use the system to tell us whether a certificate is EV or not |
| + // and the system won't recognise our testing root. |
| + return false; |
| +#else |
| + return true; |
| +#endif |
| +} |
| + |
| TEST_F(HTTPSOCSPTest, Valid) { |
| TestServer::HTTPSOptions https_options(TestServer::HTTPSOptions::CERT_AUTO); |
| https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_OK; |
| @@ -1451,13 +1486,8 @@ TEST_F(HTTPSOCSPTest, Valid) { |
| DoConnection(https_options, &cert_status); |
| EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| -#if defined(OS_MACOSX) |
| - // On OS X, we use the system to tell us whether a certificate is EV or not |
| - // and the system won't recognise our testing root. |
| - EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| -#else |
| - EXPECT_TRUE(cert_status & CERT_STATUS_IS_EV); |
| -#endif |
| + EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| + static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
|
Ryan Sleevi
2012/03/16 00:50:52
nit: !!(cert_status & CERT_STATUS_IS_EV) ?
The st
|
| EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| } |
| @@ -1485,19 +1515,133 @@ TEST_F(HTTPSOCSPTest, Invalid) { |
| CertStatus cert_status; |
| DoConnection(https_options, &cert_status); |
| -#if defined(OS_WIN) |
| - // Windows can return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION but we don't |
| - // have that ability on other platforms. |
| - EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, |
| + EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| cert_status & CERT_STATUS_ALL_ERRORS); |
| -#else |
| - EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| -#endif |
| // Without a positive OCSP response, we shouldn't show the EV status. |
| EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| } |
| + |
| +class HTTPSEVCRLSetTest : public HTTPSOCSPTest { |
| + protected: |
| + class RevCheckedDisabledSSLConfigService : public SSLConfigService { |
| + public: |
| + virtual void GetSSLConfig(SSLConfig* config) { |
| + *config = SSLConfig(); |
| + config->rev_checking_enabled = false; |
| + config->verify_ev_cert = true; |
| + } |
| + }; |
| + |
| + virtual void InitContext(URLRequestContext* context) OVERRIDE { |
| + context->set_ssl_config_service(new RevCheckedDisabledSSLConfigService); |
| + } |
| +}; |
| + |
| +TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) { |
| + TestServer::HTTPSOptions https_options( |
| + TestServer::HTTPSOptions::CERT_AUTO); |
| + https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| + SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| + |
| + CertStatus cert_status; |
| + DoConnection(https_options, &cert_status); |
| + |
| + EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| + cert_status & CERT_STATUS_ALL_ERRORS); |
| + |
| + EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| + EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| +} |
| + |
| +TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndGoodOCSP) { |
| + TestServer::HTTPSOptions https_options( |
| + TestServer::HTTPSOptions::CERT_AUTO); |
| + https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_OK; |
| + SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>()); |
| + |
| + CertStatus cert_status; |
| + DoConnection(https_options, &cert_status); |
| + |
| + EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| + |
| + EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| + static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| + |
| + EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| +} |
| + |
| +TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSet) { |
| + TestServer::HTTPSOptions https_options( |
| + TestServer::HTTPSOptions::CERT_AUTO); |
| + https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| + SSLConfigService::SetCRLSet( |
| + scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| + |
| + CertStatus cert_status; |
| + DoConnection(https_options, &cert_status); |
| + |
| + EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(), |
| + cert_status & CERT_STATUS_ALL_ERRORS); |
| + |
| + EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| + EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| +} |
| + |
| +TEST_F(HTTPSEVCRLSetTest, FreshCRLSet) { |
| + TestServer::HTTPSOptions https_options( |
| + TestServer::HTTPSOptions::CERT_AUTO); |
| + https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| + SSLConfigService::SetCRLSet( |
| + scoped_refptr<CRLSet>(CRLSet::EmptyCRLSetForTesting())); |
| + |
| + CertStatus cert_status; |
| + DoConnection(https_options, &cert_status); |
| + |
| + // With a valid, fresh CRLSet the bad OCSP response shouldn't matter because |
| + // we wont check it. |
| + EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| + |
| + EXPECT_EQ(SystemUsesChromiumEVMetadata(), |
| + static_cast<bool>(cert_status & CERT_STATUS_IS_EV)); |
| + |
| + EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| +} |
| + |
| +class HTTPSCRLSetTest : public HTTPSOCSPTest { |
| + protected: |
| + class RevCheckedDisabledSSLConfigService : public SSLConfigService { |
|
Ryan Sleevi
2012/03/16 00:50:52
nit: Just create a single SSLConfigService that ta
agl
2012/03/20 20:02:19
Done. Makes more sense now that there are three of
|
| + public: |
| + virtual void GetSSLConfig(SSLConfig* config) { |
| + *config = SSLConfig(); |
| + config->rev_checking_enabled = false; |
| + config->verify_ev_cert = false; |
| + } |
| + }; |
| + |
| + virtual void InitContext(URLRequestContext* context) OVERRIDE { |
| + context->set_ssl_config_service(new RevCheckedDisabledSSLConfigService); |
| + } |
| +}; |
| + |
| +TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { |
| + TestServer::HTTPSOptions https_options( |
| + TestServer::HTTPSOptions::CERT_AUTO); |
| + https_options.ocsp_status = TestServer::HTTPSOptions::OCSP_INVALID; |
| + SSLConfigService::SetCRLSet( |
| + scoped_refptr<CRLSet>(CRLSet::ExpiredCRLSetForTesting())); |
| + |
| + CertStatus cert_status; |
| + DoConnection(https_options, &cert_status); |
| + |
| + // If we're not trying EV verification then, even if the CRLSet has expired, |
| + // we don't fall back to online revocation checks. |
| + EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS); |
| + EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV); |
| + EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED); |
| +} |
| + |
| #endif // !OS_ANDROID && !USE_OPENSSL |
| // This tests that a load of www.google.com with a certificate error sets |
