Commit 467fa292 authored by Matt Mueller's avatar Matt Mueller Committed by Commit Bot

Plumb TrustStoreMac debug data into the TrialComparisonCertVerifier error reports.

Bug: 991247
Change-Id: Ia7824c5ee17f67fb28d7e6bfa80b88a52a11e0be
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1754278
Commit-Queue: Matt Mueller <mattm@chromium.org>
Reviewed-by: default avatarRobbie McElrath <rmcelrath@chromium.org>
Reviewed-by: default avatarEmily Stark <estark@chromium.org>
Reviewed-by: default avatarEric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#690172}
parent 529b59b7
......@@ -105,17 +105,19 @@ void TrialComparisonCertVerifierController::SendTrialReport(
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result) {
const net::CertVerifyResult& trial_result,
network::mojom::CertVerifierDebugInfoPtr debug_info) {
if (!IsAllowed() ||
base::GetFieldTrialParamByFeatureAsBool(
features::kCertDualVerificationTrialFeature, "uma_only", false)) {
return;
}
CertificateErrorReport report(
hostname, *unverified_cert, enable_rev_checking,
require_rev_checking_local_anchors, enable_sha1_local_anchors,
disable_symantec_enforcement, primary_result, trial_result);
CertificateErrorReport report(hostname, *unverified_cert, enable_rev_checking,
require_rev_checking_local_anchors,
enable_sha1_local_anchors,
disable_symantec_enforcement, primary_result,
trial_result, std::move(debug_info));
report.AddNetworkTimeInfo(g_browser_process->network_time_tracker());
report.AddChromeChannel(chrome::GetChannel());
......
......@@ -55,7 +55,8 @@ class TrialComparisonCertVerifierController
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result) override;
const net::CertVerifyResult& trial_result,
network::mojom::CertVerifierDebugInfoPtr debug_info) override;
static void SetFakeOfficialBuildForTesting(bool fake_official_build);
......
......@@ -234,8 +234,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest, NothingEnabled) {
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should also do nothing.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, ok_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
ok_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
// Expect no report since the trial is not allowed.
......@@ -255,8 +256,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should do nothing.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, ok_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
ok_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
......@@ -290,8 +292,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should do nothing.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, ok_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
ok_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
......@@ -323,8 +326,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest, OfficialBuildTrialEnabled) {
Mock::VerifyAndClear(&mock_config_client());
// Report should be sent.
report_client()->SendTrialReport("127.0.0.1", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client()->SendTrialReport(
"127.0.0.1", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
......@@ -365,8 +369,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest, OfficialBuildTrialEnabled) {
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should do nothing now.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
// Expect no report since the trial is not allowed.
......@@ -409,10 +414,12 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
Mock::VerifyAndClear(&mock_config_client_2);
// Report should be sent.
report_client()->SendTrialReport("127.0.0.1", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client_2->SendTrialReport("127.0.0.2", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client()->SendTrialReport(
"127.0.0.1", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
report_client_2->SendTrialReport(
"127.0.0.2", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
......@@ -457,10 +464,12 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should do nothing now.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client_2->SendTrialReport("hostname2", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
report_client_2->SendTrialReport(
"hostname2", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
// Expect no report since the trial is not allowed.
......@@ -491,8 +500,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
// In uma_only mode, the network service will generate a report, but the
// trial controller will not send it to the reporting service.
report_client()->SendTrialReport("127.0.0.1", leaf_cert_1_, false, false,
false, false, ok_result_, bad_result_);
report_client()->SendTrialReport(
"127.0.0.1", leaf_cert_1_, false, false, false, false, ok_result_,
bad_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
......@@ -519,8 +529,9 @@ TEST_F(TrialComparisonCertVerifierControllerTest,
EXPECT_FALSE(trial_controller().IsAllowed());
// Attempting to send a report should also do nothing.
report_client()->SendTrialReport("hostname", leaf_cert_1_, false, false,
false, false, ok_result_, ok_result_);
report_client()->SendTrialReport(
"hostname", leaf_cert_1_, false, false, false, false, ok_result_,
ok_result_, network::mojom::CertVerifierDebugInfo::New());
// Ensure any in-flight mojo calls get run.
base::RunLoop().RunUntilIdle();
// Expect no report since the trial is not allowed.
......
......@@ -211,4 +211,23 @@ message TrialVerificationInfo {
// The VerifyFlags that were used when validating this chain. (Note this
// applies to both the primary and trial verifiers.)
repeated VerifyFlags verify_flags = 6;
enum MacTrustFlags {
UNKNOWN_MAC_TRUST_FLAG = 0;
MAC_TRUST_SETTINGS_ARRAY_EMPTY = 1;
MAC_TRUST_SETTINGS_DICT_EMPTY = 2;
MAC_TRUST_SETTINGS_DICT_UNKNOWN_KEY = 3;
MAC_TRUST_SETTINGS_DICT_CONTAINS_POLICY = 4;
MAC_TRUST_SETTINGS_DICT_INVALID_POLICY_TYPE = 5;
MAC_TRUST_SETTINGS_DICT_CONTAINS_APPLICATION = 6;
MAC_TRUST_SETTINGS_DICT_CONTAINS_POLICY_STRING = 7;
MAC_TRUST_SETTINGS_DICT_CONTAINS_KEY_USAGE = 8;
MAC_TRUST_SETTINGS_DICT_CONTAINS_RESULT = 9;
MAC_TRUST_SETTINGS_DICT_INVALID_RESULT_TYPE = 10;
MAC_TRUST_SETTINGS_DICT_CONTAINS_ALLOWED_ERROR = 11;
}
// Debug flags from the trial verifier path building attempt, only populated
// on reports from macOS. Contains the union of flags from all the GetTrust
// calls done during verification.
repeated MacTrustFlags mac_combined_trust_debug_info = 7;
}
......@@ -20,6 +20,10 @@
#include "net/cert/cert_verify_proc_android.h"
#endif
#if defined(OS_MACOSX)
#include "net/cert/internal/trust_store_mac.h"
#endif
#include "net/cert/cert_verify_result.h"
using network_time::NetworkTimeTracker;
......@@ -74,6 +78,7 @@ void AddCertStatusToReportStatus(
#undef COPY_CERT_STATUS
}
#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
void AddVerifyFlagsToReport(
bool enable_rev_checking,
bool require_rev_checking_local_anchors,
......@@ -98,6 +103,32 @@ void AddVerifyFlagsToReport(
}
}
#if defined(OS_MACOSX)
void AddMacTrustFlagsToReport(
int mac_trust_flags,
::google::protobuf::RepeatedField<int>* report_flags) {
#define COPY_TRUST_FLAGS(flag) \
if (mac_trust_flags & net::TrustStoreMac::TRUST_##flag) \
report_flags->Add( \
chrome_browser_ssl::TrialVerificationInfo::MAC_TRUST_##flag);
COPY_TRUST_FLAGS(SETTINGS_ARRAY_EMPTY);
COPY_TRUST_FLAGS(SETTINGS_DICT_EMPTY);
COPY_TRUST_FLAGS(SETTINGS_DICT_UNKNOWN_KEY);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_POLICY);
COPY_TRUST_FLAGS(SETTINGS_DICT_INVALID_POLICY_TYPE);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_APPLICATION);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_POLICY_STRING);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_KEY_USAGE);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_RESULT);
COPY_TRUST_FLAGS(SETTINGS_DICT_INVALID_RESULT_TYPE);
COPY_TRUST_FLAGS(SETTINGS_DICT_CONTAINS_ALLOWED_ERROR);
#undef COPY_TRUST_FLAGS
}
#endif // defined(OS_MACOSX)
#endif // BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
bool CertificateChainToString(const net::X509Certificate& cert,
std::string* result) {
std::vector<std::string> pem_encoded_chain;
......@@ -123,6 +154,7 @@ CertificateErrorReport::CertificateErrorReport(const std::string& hostname,
cert_report_->add_pin(ssl_info.pinning_failure_log);
}
#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
CertificateErrorReport::CertificateErrorReport(
const std::string& hostname,
const net::X509Certificate& unverified_cert,
......@@ -131,7 +163,8 @@ CertificateErrorReport::CertificateErrorReport(
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result)
const net::CertVerifyResult& trial_result,
network::mojom::CertVerifierDebugInfoPtr debug_info)
: CertificateErrorReport(hostname,
*primary_result.verified_cert,
&unverified_cert,
......@@ -155,7 +188,13 @@ CertificateErrorReport::CertificateErrorReport(
enable_rev_checking, require_rev_checking_local_anchors,
enable_sha1_local_anchors, disable_symantec_enforcement,
trial_report->mutable_verify_flags());
#if defined(OS_MACOSX)
AddMacTrustFlagsToReport(
debug_info->mac_combined_trust_debug_info,
trial_report->mutable_mac_combined_trust_debug_info());
#endif
}
#endif // BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
CertificateErrorReport::~CertificateErrorReport() {}
......
......@@ -12,6 +12,11 @@
#include "components/version_info/version_info.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
#include "net/net_buildflags.h"
#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
#include "services/network/public/mojom/trial_comparison_cert_verifier.mojom.h"
#endif
namespace base {
class Time;
......@@ -59,6 +64,7 @@ class CertificateErrorReport {
CertificateErrorReport(const std::string& hostname,
const net::SSLInfo& ssl_info);
#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
// Constructs a dual verification trial report for the given |hostname|, the
// cert and chain sent by the server, the result from the primary verifier,
// and the result from the trial verifier.
......@@ -70,7 +76,9 @@ class CertificateErrorReport {
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result);
const net::CertVerifyResult& trial_result,
network::mojom::CertVerifierDebugInfoPtr debug_info);
#endif
~CertificateErrorReport();
......
......@@ -35,6 +35,10 @@
#include "net/cert/cert_verify_proc_android.h"
#endif
#if defined(OS_MACOSX)
#include "net/cert/internal/trust_store_mac.h"
#endif
using net::SSLInfo;
using testing::UnorderedElementsAre;
using testing::UnorderedElementsAreArray;
......@@ -324,4 +328,55 @@ TEST(ErrorReportTest, AndroidAIAFetchingFeatureEnabled) {
}
#endif
#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
TEST(ErrorReportTest, TrialDebugInfo) {
scoped_refptr<net::X509Certificate> unverified_cert =
net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
scoped_refptr<net::X509Certificate> chain1 =
net::CreateCertificateChainFromFile(net::GetTestCertsDirectory(),
"x509_verify_results.chain.pem",
net::X509Certificate::FORMAT_AUTO);
scoped_refptr<net::X509Certificate> chain2 =
net::CreateCertificateChainFromFile(net::GetTestCertsDirectory(),
"multi-root-chain1.pem",
net::X509Certificate::FORMAT_AUTO);
net::CertVerifyResult primary_result;
primary_result.verified_cert = chain1;
net::CertVerifyResult trial_result;
trial_result.verified_cert = chain2;
network::mojom::CertVerifierDebugInfoPtr debug_info =
network::mojom::CertVerifierDebugInfo::New();
#if defined(OS_MACOSX)
debug_info->mac_combined_trust_debug_info =
net::TrustStoreMac::TRUST_SETTINGS_DICT_CONTAINS_APPLICATION |
net::TrustStoreMac::TRUST_SETTINGS_DICT_CONTAINS_RESULT;
#endif
CertificateErrorReport report("example.com", *unverified_cert, false, false,
false, false, primary_result, trial_result,
std::move(debug_info));
std::string serialized_report;
ASSERT_TRUE(report.Serialize(&serialized_report));
chrome_browser_ssl::CertLoggerRequest parsed;
ASSERT_TRUE(parsed.ParseFromString(serialized_report));
ASSERT_TRUE(parsed.has_features_info());
ASSERT_TRUE(parsed.features_info().has_trial_verification_info());
const chrome_browser_ssl::TrialVerificationInfo& trial_info =
parsed.features_info().trial_verification_info();
#if defined(OS_MACOSX)
ASSERT_EQ(2, trial_info.mac_combined_trust_debug_info_size());
EXPECT_EQ(chrome_browser_ssl::TrialVerificationInfo::
MAC_TRUST_SETTINGS_DICT_CONTAINS_APPLICATION,
trial_info.mac_combined_trust_debug_info()[0]);
EXPECT_EQ(chrome_browser_ssl::TrialVerificationInfo::
MAC_TRUST_SETTINGS_DICT_CONTAINS_RESULT,
trial_info.mac_combined_trust_debug_info()[1]);
#else
EXPECT_EQ(0, trial_info.mac_combined_trust_debug_info_size());
#endif
}
#endif // BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
} // namespace
......@@ -404,6 +404,10 @@ source_set("tests") {
sources += [ "expect_ct_reporter_unittest.cc" ]
deps += [ "//components/certificate_transparency" ]
}
if (trial_comparison_cert_verifier_supported) {
sources += [ "trial_comparison_cert_verifier_mojo_unittest.cc" ]
}
}
jumbo_source_set("test_support") {
......
......@@ -17,13 +17,22 @@ interface TrialComparisonCertVerifierConfigClient {
OnTrialConfigUpdated(bool allowed);
};
// Contains additional debugging data about the verification. This information
// does not change the meaning of the results.
struct CertVerifierDebugInfo {
// A bitfield of net::TrustStoreMac::TrustDebugInfo flags, containing the
// union of flags from all the GetTrust calls done during verification.
[EnableIf=is_mac]
int32 mac_combined_trust_debug_info;
};
// Sends reports of differences found in the cert verifier trial.
interface TrialComparisonCertVerifierReportClient {
SendTrialReport(
string hostname, X509Certificate cert, bool enable_rev_checking,
bool require_rev_checking_local_anchors, bool enable_sha1_local_anchors,
bool disable_symantec_enforcement, CertVerifyResult primary_result,
CertVerifyResult trial_result);
CertVerifyResult trial_result, CertVerifierDebugInfo debug_info);
};
// Parameters for initializing the cert verification trial.
......
......@@ -6,9 +6,14 @@
#include <utility>
#include "build/build_config.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/trial_comparison_cert_verifier.h"
#if defined(OS_MACOSX) && !defined(OS_IOS)
#include "net/cert/internal/trust_store_mac.h"
#endif
namespace network {
TrialComparisonCertVerifierMojo::TrialComparisonCertVerifierMojo(
......@@ -23,10 +28,10 @@ TrialComparisonCertVerifierMojo::TrialComparisonCertVerifierMojo(
std::make_unique<net::TrialComparisonCertVerifier>(
initial_allowed, primary_verify_proc, trial_verify_proc,
base::BindRepeating(
&mojom::TrialComparisonCertVerifierReportClient::SendTrialReport,
&TrialComparisonCertVerifierMojo::OnSendTrialReport,
// Unretained safe because the report_callback will not be called
// after trial_comparison_cert_verifier_ is destroyed.
base::Unretained(report_client_.get())));
base::Unretained(this)));
}
TrialComparisonCertVerifierMojo::~TrialComparisonCertVerifierMojo() = default;
......@@ -49,4 +54,31 @@ void TrialComparisonCertVerifierMojo::OnTrialConfigUpdated(bool allowed) {
trial_comparison_cert_verifier_->set_trial_allowed(allowed);
}
void TrialComparisonCertVerifierMojo::OnSendTrialReport(
const std::string& hostname,
const scoped_refptr<net::X509Certificate>& unverified_cert,
bool enable_rev_checking,
bool require_rev_checking_local_anchors,
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result) {
network::mojom::CertVerifierDebugInfoPtr debug_info =
network::mojom::CertVerifierDebugInfo::New();
#if defined(OS_MACOSX) && !defined(OS_IOS)
auto* mac_trust_debug_info =
net::TrustStoreMac::ResultDebugData::Get(&trial_result);
if (mac_trust_debug_info) {
debug_info->mac_combined_trust_debug_info =
mac_trust_debug_info->combined_trust_debug_info();
}
#endif
report_client_->SendTrialReport(
hostname, unverified_cert, enable_rev_checking,
require_rev_checking_local_anchors, enable_sha1_local_anchors,
disable_symantec_enforcement, primary_result, trial_result,
std::move(debug_info));
}
} // namespace network
......@@ -21,6 +21,8 @@ class CertVerifyResult;
class TrialComparisonCertVerifier;
} // namespace net
FORWARD_DECLARE_TEST(TrialComparisonCertVerifierMojoTest, SendReportDebugInfo);
namespace network {
// Wrapper around TrialComparisonCertVerifier that does trial configuration and
......@@ -53,9 +55,22 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) TrialComparisonCertVerifierMojo
void SetConfig(const Config& config) override;
private:
FRIEND_TEST_ALL_PREFIXES(::TrialComparisonCertVerifierMojoTest,
SendReportDebugInfo);
// mojom::TrialComparisonCertVerifierConfigClient implementation:
void OnTrialConfigUpdated(bool allowed) override;
void OnSendTrialReport(
const std::string& hostname,
const scoped_refptr<net::X509Certificate>& unverified_cert,
bool enable_rev_checking,
bool require_rev_checking_local_anchors,
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result);
mojo::Binding<mojom::TrialComparisonCertVerifierConfigClient> binding_;
mojom::TrialComparisonCertVerifierReportClientPtr report_client_;
......
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "services/network/trial_comparison_cert_verifier_mojo.h"
#include "base/test/task_environment.h"
#include "build/build_config.h"
#include "net/cert/cert_verify_proc.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gtest/include/gtest/gtest.h"
#if defined(OS_MACOSX) && !defined(OS_IOS)
#include "net/cert/internal/trust_store_mac.h"
#endif
struct ReceivedReport {
std::string hostname;
scoped_refptr<net::X509Certificate> unverified_cert;
bool enable_rev_checking;
bool require_rev_checking_local_anchors;
bool enable_sha1_local_anchors;
bool disable_symantec_enforcement;
net::CertVerifyResult primary_result;
net::CertVerifyResult trial_result;
network::mojom::CertVerifierDebugInfoPtr debug_info;
};
class FakeReportClient
: public network::mojom::TrialComparisonCertVerifierReportClient {
public:
explicit FakeReportClient(
network::mojom::TrialComparisonCertVerifierReportClientRequest
report_client_request)
: binding_(this, std::move(report_client_request)) {}
// TrialComparisonCertVerifierReportClient implementation:
void SendTrialReport(
const std::string& hostname,
const scoped_refptr<net::X509Certificate>& unverified_cert,
bool enable_rev_checking,
bool require_rev_checking_local_anchors,
bool enable_sha1_local_anchors,
bool disable_symantec_enforcement,
const net::CertVerifyResult& primary_result,
const net::CertVerifyResult& trial_result,
network::mojom::CertVerifierDebugInfoPtr debug_info) override {
ReceivedReport report;
report.hostname = hostname;
report.unverified_cert = unverified_cert;
report.enable_rev_checking = enable_rev_checking;
report.require_rev_checking_local_anchors =
require_rev_checking_local_anchors;
report.enable_sha1_local_anchors = enable_sha1_local_anchors;
report.disable_symantec_enforcement = disable_symantec_enforcement;
report.primary_result = primary_result;
report.trial_result = trial_result;
report.debug_info = std::move(debug_info);
reports_.push_back(std::move(report));
run_loop_.Quit();
}
const std::vector<ReceivedReport>& reports() const { return reports_; }
void WaitForReport() { run_loop_.Run(); }
private:
mojo::Binding<network::mojom::TrialComparisonCertVerifierReportClient>
binding_;
std::vector<ReceivedReport> reports_;
base::RunLoop run_loop_;
};
TEST(TrialComparisonCertVerifierMojoTest, SendReportDebugInfo) {
base::test::TaskEnvironment scoped_task_environment;
scoped_refptr<net::X509Certificate> unverified_cert =
net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
scoped_refptr<net::X509Certificate> chain1 =
net::CreateCertificateChainFromFile(net::GetTestCertsDirectory(),
"x509_verify_results.chain.pem",
net::X509Certificate::FORMAT_AUTO);
scoped_refptr<net::X509Certificate> chain2 =
net::CreateCertificateChainFromFile(net::GetTestCertsDirectory(),
"multi-root-chain1.pem",
net::X509Certificate::FORMAT_AUTO);
net::CertVerifyResult primary_result;
primary_result.verified_cert = chain1;
net::CertVerifyResult trial_result;
trial_result.verified_cert = chain2;
#if defined(OS_MACOSX) && !defined(OS_IOS)
constexpr int kExpectedTrustDebugInfo = 0xABCD;
auto* mac_trust_debug_info =
net::TrustStoreMac::ResultDebugData::GetOrCreate(&trial_result);
ASSERT_TRUE(mac_trust_debug_info);
mac_trust_debug_info->UpdateTrustDebugInfo(kExpectedTrustDebugInfo);
#endif
network::mojom::TrialComparisonCertVerifierReportClientPtrInfo
report_client_ptr;
FakeReportClient report_client(mojo::MakeRequest(&report_client_ptr));
network::TrialComparisonCertVerifierMojo tccvm(
true, {}, std::move(report_client_ptr), nullptr, nullptr);
tccvm.OnSendTrialReport("example.com", unverified_cert, false, false, false,
false, primary_result, trial_result);
report_client.WaitForReport();
ASSERT_EQ(1U, report_client.reports().size());
const ReceivedReport& report = report_client.reports()[0];
EXPECT_TRUE(
unverified_cert->EqualsIncludingChain(report.unverified_cert.get()));
EXPECT_TRUE(
chain1->EqualsIncludingChain(report.primary_result.verified_cert.get()));
EXPECT_TRUE(
chain2->EqualsIncludingChain(report.trial_result.verified_cert.get()));
ASSERT_TRUE(report.debug_info);
#if defined(OS_MACOSX) && !defined(OS_IOS)
EXPECT_EQ(kExpectedTrustDebugInfo,
report.debug_info->mac_combined_trust_debug_info);
#endif
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment