diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-19 20:19:47 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-19 20:19:47 +0000 |
| commit | 131d13b8530e28cea6ae0fd5fa7e41723667ce04 (patch) | |
| tree | 57cb7f1f6d07b581b1979b96b6ab9f55d51f0f22 /net/test | |
| parent | eaf60d8ba229a9dc7344cc305ef23607ce4b52be (diff) | |
| download | chromium_src-131d13b8530e28cea6ae0fd5fa7e41723667ce04.zip chromium_src-131d13b8530e28cea6ae0fd5fa7e41723667ce04.tar.gz chromium_src-131d13b8530e28cea6ae0fd5fa7e41723667ce04.tar.bz2 | |
Revert "Revert "net: add OCSP tests.""
(First landed in r127486, reverted in r127493 because it broke on
Windows XP.)
I was getting increasingly unhappy altering EV and revocation checking
semantics without any tests. We historically haven't had tests because
online revocation checking is inherently flaky so I amended testserver
with the minimum code to be able to sign and vend OCSP responses.
These tests do not test the final EV/CRLSet/revocation checking
semantics. They are intended to be altered in future CLs.
BUG=none
TEST=net_unittests
https://chromiumcodereview.appspot.com/9663017/
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127518 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/test')
| -rw-r--r-- | net/test/base_test_server.cc | 44 | ||||
| -rw-r--r-- | net/test/base_test_server.h | 21 |
2 files changed, 57 insertions, 8 deletions
diff --git a/net/test/base_test_server.cc b/net/test/base_test_server.cc index c4f0fc6..eefd953 100644 --- a/net/test/base_test_server.cc +++ b/net/test/base_test_server.cc @@ -55,6 +55,7 @@ void GetCiphersList(int cipher, base::ListValue* values) { BaseTestServer::HTTPSOptions::HTTPSOptions() : server_certificate(CERT_OK), + ocsp_status(OCSP_OK), request_client_certificate(false), bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY), record_resume(false) {} @@ -79,12 +80,31 @@ FilePath BaseTestServer::HTTPSOptions::GetCertificateFile() const { // This chain uses its own dedicated test root certificate to avoid // side-effects that may affect testing. return FilePath(FILE_PATH_LITERAL("redundant-server-chain.pem")); + case CERT_AUTO: + return FilePath(); default: NOTREACHED(); } return FilePath(); } +std::string BaseTestServer::HTTPSOptions::GetOCSPArgument() const { + if (server_certificate != CERT_AUTO) + return ""; + + switch (ocsp_status) { + case OCSP_OK: + return "ok"; + case OCSP_REVOKED: + return "revoked"; + case OCSP_INVALID: + return "invalid"; + default: + NOTREACHED(); + return ""; + } +} + const char BaseTestServer::kLocalhost[] = "127.0.0.1"; const char BaseTestServer::kGDataAuthToken[] = "testtoken"; @@ -309,17 +329,25 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const { arguments->Set("log-to-console", base::Value::CreateNullValue()); if (type_ == TYPE_HTTPS) { + arguments->Set("https", base::Value::CreateNullValue()); + // Check the certificate arguments of the HTTPS server. FilePath certificate_path(certificates_dir_); - certificate_path = certificate_path.Append( - https_options_.GetCertificateFile()); - if (certificate_path.IsAbsolute() && - !file_util::PathExists(certificate_path)) { - LOG(ERROR) << "Certificate path " << certificate_path.value() - << " doesn't exist. Can't launch https server."; - return false; + FilePath certificate_file(https_options_.GetCertificateFile()); + if (!certificate_file.value().empty()) { + certificate_path = certificate_path.Append(certificate_file); + if (certificate_path.IsAbsolute() && + !file_util::PathExists(certificate_path)) { + LOG(ERROR) << "Certificate path " << certificate_path.value() + << " doesn't exist. Can't launch https server."; + return false; + } + arguments->SetString("cert-and-key-file", certificate_path.value()); } - arguments->SetString("https", certificate_path.value()); + + std::string ocsp_arg = https_options_.GetOCSPArgument(); + if (!ocsp_arg.empty()) + arguments->SetString("ocsp", ocsp_arg); // Check the client certificate related arguments. if (https_options_.request_client_certificate) diff --git a/net/test/base_test_server.h b/net/test/base_test_server.h index 7264a65..fd04e55 100644 --- a/net/test/base_test_server.h +++ b/net/test/base_test_server.h @@ -46,6 +46,11 @@ class BaseTestServer { struct HTTPSOptions { enum ServerCertificate { CERT_OK, + + // CERT_AUTO causes the testserver to generate a test certificate issued + // by "Testing CA" (see net/data/ssl/certificates/ocsp-test-root.pem). + CERT_AUTO, + CERT_MISMATCHED_NAME, CERT_EXPIRED, // Cross-signed certificate to test PKIX path building. Contains an @@ -55,6 +60,14 @@ class BaseTestServer { CERT_CHAIN_WRONG_ROOT, }; + // OCSPStatus enumerates the types of OCSP response that the testserver + // can produce. + enum OCSPStatus { + OCSP_OK, + OCSP_REVOKED, + OCSP_INVALID, + }; + // Bitmask of bulk encryption algorithms that the test server supports // and that can be selectively enabled or disabled. enum BulkCipher { @@ -83,9 +96,17 @@ class BaseTestServer { // |server_certificate|. FilePath GetCertificateFile() const; + // GetOCSPArgument returns the value of any OCSP argument to testserver or + // the empty string if there is none. + std::string GetOCSPArgument() const; + // The certificate to use when serving requests. ServerCertificate server_certificate; + // If |server_certificate==CERT_AUTO| then this determines the type of OCSP + // response returned. + OCSPStatus ocsp_status; + // True if a CertificateRequest should be sent to the client during // handshaking. bool request_client_certificate; |