search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/WebKit eac3800:0237a66 (svn 202606:202607)
[chromium-blink-merge.git] / net / quic / crypto / proof_verifier_chromium_test.cc
blob9e0f5987f244967e644bf3760c494851ba44a41f
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/quic/crypto/proof_verifier_chromium.h"
6
7 #include "base/memory/ref_counted.h"
8 #include "base/memory/scoped_ptr.h"
9 #include "net/base/net_errors.h"
10 #include "net/base/test_data_directory.h"
11 #include "net/cert/cert_policy_enforcer.h"
12 #include "net/cert/cert_status_flags.h"
13 #include "net/cert/cert_verifier.h"
14 #include "net/cert/mock_cert_verifier.h"
15 #include "net/cert/x509_certificate.h"
16 #include "net/http/transport_security_state.h"
17 #include "net/log/net_log.h"
18 #include "net/quic/crypto/proof_verifier.h"
19 #include "net/test/cert_test_util.h"
20 #include "testing/gtest/include/gtest/gtest.h"
21
22 namespace net {
23 namespace test {
24
25 namespace {
26
27 // CertVerifier that will fail the test if it is ever called.
28 class FailsTestCertVerifier : public CertVerifier {
29 public:
30 FailsTestCertVerifier() {}
31 ~FailsTestCertVerifier() override {}
32
33 // CertVerifier implementation
34 int Verify(X509Certificate* cert,
35 const std::string& hostname,
36 const std::string& ocsp_response,
37 int flags,
38 CRLSet* crl_set,
39 CertVerifyResult* verify_result,
40 const CompletionCallback& callback,
41 scoped_ptr<CertVerifier::Request>* out_req,
42 const BoundNetLog& net_log) override {
43 ADD_FAILURE() << "CertVerifier::Verify() should not be called";
44 return ERR_FAILED;
45 }
46 };
47
48 // CertPolicyEnforcer that will fail the test if it is ever called.
49 class FailsTestCertPolicyEnforcer : public CertPolicyEnforcer {
50 public:
51 FailsTestCertPolicyEnforcer() {}
52 ~FailsTestCertPolicyEnforcer() override {}
53
54 bool DoesConformToCTEVPolicy(X509Certificate* cert,
55 const ct::EVCertsWhitelist* ev_whitelist,
56 const ct::CTVerifyResult& ct_result,
57 const BoundNetLog& net_log) override {
58 ADD_FAILURE() << "CertPolicyEnforcer::DoesConformToCTEVPolicy() should "
59 << "not be called";
60 return false;
61 }
62 };
63
64 // CertPolicyEnforcer that can simulate whether or not a given certificate
65 // conforms to the CT/EV policy.
66 class MockCertPolicyEnforcer : public CertPolicyEnforcer {
67 public:
68 MockCertPolicyEnforcer(bool is_ev) : is_ev_(is_ev) {}
69 ~MockCertPolicyEnforcer() override {}
70
71 bool DoesConformToCTEVPolicy(X509Certificate* cert,
72 const ct::EVCertsWhitelist* ev_whitelist,
73 const ct::CTVerifyResult& ct_result,
74 const BoundNetLog& net_log) override {
75 return is_ev_;
76 }
77
78 private:
79 bool is_ev_;
80 };
81
82 class DummyProofVerifierCallback : public ProofVerifierCallback {
83 public:
84 DummyProofVerifierCallback() {}
85 ~DummyProofVerifierCallback() override {}
86
87 void Run(bool ok,
88 const std::string& error_details,
89 scoped_ptr<ProofVerifyDetails>* details) override {
90 // Do nothing
91 }
92 };
93
94 scoped_refptr<X509Certificate> GetTestServerCertificate() {
95 static const char kTestCert[] = "quic_test.example.com.crt";
96 return ImportCertFromFile(GetTestCertsDirectory(), kTestCert);
97 }
98
99 void GetTestCertificates(std::vector<std::string>* certs) {
100 scoped_refptr<X509Certificate> cert = GetTestServerCertificate();
101 ASSERT_TRUE(cert);
102
103 std::string der_bytes;
104 ASSERT_TRUE(
105 X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_bytes));
106
107 certs->clear();
108 certs->push_back(der_bytes);
109 }
110
111 std::string GetTestSignature() {
112 // Sample known answer test from ProofTest.VerifyRSAKnownAnswerTest.
113 // Generated by dumping the bytes of the |signature| output of
114 // ProofSource::GetProof().
115 static const unsigned char kTestSignature[] = {
116 0x31, 0xd5, 0xfb, 0x40, 0x30, 0x75, 0xd2, 0x7d, 0x61, 0xf9, 0xd7, 0x54,
117 0x30, 0x06, 0xaf, 0x54, 0x0d, 0xb0, 0x0a, 0xda, 0x63, 0xca, 0x7e, 0x9e,
118 0xce, 0xba, 0x10, 0x05, 0x1b, 0xa6, 0x7f, 0xef, 0x2b, 0xa3, 0xff, 0x3c,
119 0xbb, 0x9a, 0xe4, 0xbf, 0xb8, 0x0c, 0xc1, 0xbd, 0xed, 0xc2, 0x90, 0x68,
120 0xeb, 0x45, 0x48, 0xea, 0x3c, 0x95, 0xf8, 0xa2, 0xb9, 0xe7, 0x62, 0x29,
121 0x00, 0xc3, 0x18, 0xb4, 0x16, 0x6f, 0x5e, 0xb0, 0xc1, 0x26, 0xc0, 0x4b,
122 0x84, 0xf5, 0x97, 0xfc, 0x17, 0xf9, 0x1c, 0x43, 0xb8, 0xf2, 0x3f, 0x38,
123 0x32, 0xad, 0x36, 0x52, 0x2c, 0x26, 0x92, 0x7a, 0xea, 0x2c, 0xa2, 0xf4,
124 0x28, 0x2f, 0x19, 0x4d, 0x1f, 0x11, 0x46, 0x82, 0xd0, 0xc4, 0x86, 0x56,
125 0x5c, 0x97, 0x9e, 0xc6, 0x37, 0x8e, 0xaf, 0x9d, 0x69, 0xe9, 0x4f, 0x5a,
126 0x6d, 0x70, 0x75, 0xc7, 0x41, 0x95, 0x68, 0x53, 0x94, 0xca, 0x31, 0x63,
127 0x61, 0x9f, 0xb8, 0x8c, 0x3b, 0x75, 0x36, 0x8b, 0x69, 0xa2, 0x35, 0xc0,
128 0x4b, 0x77, 0x55, 0x08, 0xc2, 0xb4, 0x56, 0xd2, 0x81, 0xce, 0x9e, 0x25,
129 0xdb, 0x50, 0x74, 0xb3, 0x8a, 0xd9, 0x20, 0x42, 0x3f, 0x85, 0x2d, 0xaa,
130 0xfd, 0x66, 0xfa, 0xd6, 0x95, 0x55, 0x6b, 0x63, 0x63, 0x04, 0xf8, 0x6c,
131 0x3e, 0x08, 0x22, 0x39, 0xb9, 0x9a, 0xe0, 0xd7, 0x01, 0xff, 0xeb, 0x8a,
132 0xb9, 0xe2, 0x34, 0xa5, 0xa0, 0x51, 0xe9, 0xbe, 0x15, 0x12, 0xbf, 0xbe,
133 0x64, 0x3d, 0x3f, 0x98, 0xce, 0xc1, 0xa6, 0x33, 0x32, 0xd3, 0x5c, 0xa8,
134 0x39, 0x93, 0xdc, 0x1c, 0xb9, 0xab, 0x3c, 0x80, 0x62, 0xb3, 0x76, 0x21,
135 0xdf, 0x47, 0x1e, 0xa9, 0x0e, 0x5e, 0x8a, 0xbe, 0x66, 0x5b, 0x7c, 0x21,
136 0xfa, 0x78, 0x2d, 0xd1, 0x1d, 0x5c, 0x35, 0x8a, 0x34, 0xb2, 0x1a, 0xc2,
137 0xc4, 0x4b, 0x53, 0x54,
138 };
139 return std::string(reinterpret_cast<const char*>(kTestSignature),
140 sizeof(kTestSignature));
141 }
142
143 const char kTestHostname[] = "test.example.com";
144 const char kTestConfig[] = "server config bytes";
145
146 } // namespace
147
148 // Tests that the ProofVerifier fails verification if certificate
149 // verification fails.
150 TEST(ProofVerifierChromiumTest, FailsIfCertFails) {
151 MockCertVerifier dummy_verifier;
152 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr);
153
154 scoped_ptr<ProofVerifyContext> verify_context(
155 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
156 scoped_ptr<ProofVerifyDetails> details;
157 std::string error_details;
158
159 std::vector<std::string> certs;
160 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
161
162 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
163 QuicAsyncStatus status = proof_verifier.VerifyProof(
164 kTestHostname, kTestConfig, certs, GetTestSignature(),
165 verify_context.get(), &error_details, &details, callback);
166 ASSERT_EQ(QUIC_FAILURE, status);
167 delete callback;
168 }
169
170 // Tests that the ProofVerifier doesn't verify certificates if the config
171 // signature fails.
172 TEST(ProofVerifierChromiumTest, FailsIfSignatureFails) {
173 FailsTestCertVerifier cert_verifier;
174 ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr);
175
176 scoped_ptr<ProofVerifyContext> verify_context(
177 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
178 scoped_ptr<ProofVerifyDetails> details;
179 std::string error_details;
180
181 std::vector<std::string> certs;
182 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
183
184 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
185 QuicAsyncStatus status = proof_verifier.VerifyProof(
186 kTestHostname, kTestConfig, certs, kTestConfig, verify_context.get(),
187 &error_details, &details, callback);
188 ASSERT_EQ(QUIC_FAILURE, status);
189 delete callback;
190 }
191
192 // Tests that EV certificates are left as EV if there is no certificate
193 // policy enforcement.
194 TEST(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) {
195 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
196 ASSERT_TRUE(test_cert);
197
198 CertVerifyResult dummy_result;
199 dummy_result.verified_cert = test_cert;
200 dummy_result.cert_status = CERT_STATUS_IS_EV;
201
202 MockCertVerifier dummy_verifier;
203 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
204
205 ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr);
206
207 scoped_ptr<ProofVerifyContext> verify_context(
208 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
209 scoped_ptr<ProofVerifyDetails> details;
210 std::string error_details;
211
212 std::vector<std::string> certs;
213 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
214
215 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
216 QuicAsyncStatus status = proof_verifier.VerifyProof(
217 kTestHostname, kTestConfig, certs, GetTestSignature(),
218 verify_context.get(), &error_details, &details, callback);
219 ASSERT_EQ(QUIC_SUCCESS, status);
220 delete callback;
221
222 ASSERT_TRUE(details.get());
223 ProofVerifyDetailsChromium* verify_details =
224 static_cast<ProofVerifyDetailsChromium*>(details.get());
225 EXPECT_EQ(dummy_result.cert_status,
226 verify_details->cert_verify_result.cert_status);
227 }
228
229 // Tests that the certificate policy enforcer is consulted for EV
230 // and the certificate is allowed to be EV.
231 TEST(ProofVerifierChromiumTest, PreservesEVIfAllowed) {
232 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
233 ASSERT_TRUE(test_cert);
234
235 CertVerifyResult dummy_result;
236 dummy_result.verified_cert = test_cert;
237 dummy_result.cert_status = CERT_STATUS_IS_EV;
238
239 MockCertVerifier dummy_verifier;
240 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
241
242 MockCertPolicyEnforcer policy_enforcer(true /*is_ev*/);
243
244 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
245 nullptr);
246
247 scoped_ptr<ProofVerifyContext> verify_context(
248 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
249 scoped_ptr<ProofVerifyDetails> details;
250 std::string error_details;
251
252 std::vector<std::string> certs;
253 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
254
255 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
256 QuicAsyncStatus status = proof_verifier.VerifyProof(
257 kTestHostname, kTestConfig, certs, GetTestSignature(),
258 verify_context.get(), &error_details, &details, callback);
259 ASSERT_EQ(QUIC_SUCCESS, status);
260 delete callback;
261
262 ASSERT_TRUE(details.get());
263 ProofVerifyDetailsChromium* verify_details =
264 static_cast<ProofVerifyDetailsChromium*>(details.get());
265 EXPECT_EQ(dummy_result.cert_status,
266 verify_details->cert_verify_result.cert_status);
267 }
268
269 // Tests that the certificate policy enforcer is consulted for EV
270 // and the certificate is not allowed to be EV.
271 TEST(ProofVerifierChromiumTest, StripsEVIfNotAllowed) {
272 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
273 ASSERT_TRUE(test_cert);
274
275 CertVerifyResult dummy_result;
276 dummy_result.verified_cert = test_cert;
277 dummy_result.cert_status = CERT_STATUS_IS_EV;
278
279 MockCertVerifier dummy_verifier;
280 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
281
282 MockCertPolicyEnforcer policy_enforcer(false /*is_ev*/);
283
284 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
285 nullptr);
286
287 scoped_ptr<ProofVerifyContext> verify_context(
288 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
289 scoped_ptr<ProofVerifyDetails> details;
290 std::string error_details;
291
292 std::vector<std::string> certs;
293 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
294
295 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
296 QuicAsyncStatus status = proof_verifier.VerifyProof(
297 kTestHostname, kTestConfig, certs, GetTestSignature(),
298 verify_context.get(), &error_details, &details, callback);
299 ASSERT_EQ(QUIC_SUCCESS, status);
300 delete callback;
301
302 ASSERT_TRUE(details.get());
303 ProofVerifyDetailsChromium* verify_details =
304 static_cast<ProofVerifyDetailsChromium*>(details.get());
305 EXPECT_EQ(CERT_STATUS_CT_COMPLIANCE_FAILED,
306 verify_details->cert_verify_result.cert_status &
307 (CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV));
308 }
309
310 // Tests that the certificate policy enforcer is not consulted if
311 // the certificate is not EV.
312 TEST(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) {
313 scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
314 ASSERT_TRUE(test_cert);
315
316 CertVerifyResult dummy_result;
317 dummy_result.verified_cert = test_cert;
318 dummy_result.cert_status = 0;
319
320 MockCertVerifier dummy_verifier;
321 dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
322
323 FailsTestCertPolicyEnforcer policy_enforcer;
324
325 ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
326 nullptr);
327
328 scoped_ptr<ProofVerifyContext> verify_context(
329 new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog()));
330 scoped_ptr<ProofVerifyDetails> details;
331 std::string error_details;
332
333 std::vector<std::string> certs;
334 ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs));
335
336 DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
337 QuicAsyncStatus status = proof_verifier.VerifyProof(
338 kTestHostname, kTestConfig, certs, GetTestSignature(),
339 verify_context.get(), &error_details, &details, callback);
340 ASSERT_EQ(QUIC_SUCCESS, status);
341 delete callback;
342
343 ASSERT_TRUE(details.get());
344 ProofVerifyDetailsChromium* verify_details =
345 static_cast<ProofVerifyDetailsChromium*>(details.get());
346 EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);
347 }
348
349 } // namespace test
350 } // namespace net