diff options
-rw-r--r-- | chrome/browser/profiles/profile_io_data.cc | 44 | ||||
-rw-r--r-- | chrome/browser/profiles/profile_io_data.h | 5 | ||||
-rw-r--r-- | chrome/browser/ssl/cert_verifier_browser_test.cc | 26 | ||||
-rw-r--r-- | chrome/browser/ssl/cert_verifier_browser_test.h | 37 | ||||
-rw-r--r-- | chrome/browser/ssl/ssl_browser_tests.cc | 22 | ||||
-rw-r--r-- | chrome/chrome_tests.gypi | 2 |
6 files changed, 121 insertions, 15 deletions
diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc index a149387..b8db2b3 100644 --- a/chrome/browser/profiles/profile_io_data.cc +++ b/chrome/browser/profiles/profile_io_data.cc @@ -64,6 +64,7 @@ #include "content/public/browser/notification_service.h" #include "content/public/browser/resource_context.h" #include "net/base/keygen_handler.h" +#include "net/cert/cert_verifier.h" #include "net/cookies/canonical_cookie.h" #include "net/http/http_transaction_factory.h" #include "net/http/http_util.h" @@ -156,6 +157,8 @@ using content::ResourceContext; namespace { +net::CertVerifier* g_cert_verifier_for_testing = nullptr; + #if defined(DEBUG_DEVTOOLS) bool IsSupportedDevToolsURL(const GURL& url, base::FilePath* path) { std::string bundled_path_prefix(chrome::kChromeUIDevToolsBundledPath); @@ -748,6 +751,12 @@ void ProfileIOData::InstallProtocolHandlers( protocol_handlers->clear(); } +// static +void ProfileIOData::SetCertVerifierForTesting( + net::CertVerifier* cert_verifier) { + g_cert_verifier_for_testing = cert_verifier; +} + content::ResourceContext* ProfileIOData::GetResourceContext() const { return resource_context_.get(); } @@ -1099,24 +1108,31 @@ void ProfileIOData::Init( use_system_key_slot_ = profile_params_->use_system_key_slot; if (use_system_key_slot_) EnableNSSSystemKeySlotForResourceContext(resource_context_.get()); +#endif - crypto::ScopedPK11Slot public_slot = - crypto::GetPublicSlotForChromeOSUser(username_hash_); - // The private slot won't be ready by this point. It shouldn't be necessary - // for cert trust purposes anyway. - scoped_refptr<net::CertVerifyProc> verify_proc( - new chromeos::CertVerifyProcChromeOS(public_slot.Pass())); - if (policy_cert_verifier_) { - DCHECK_EQ(policy_cert_verifier_, cert_verifier_.get()); - policy_cert_verifier_->InitializeOnIOThread(verify_proc); + if (g_cert_verifier_for_testing) { + main_request_context_->set_cert_verifier(g_cert_verifier_for_testing); } else { - cert_verifier_.reset(new net::MultiThreadedCertVerifier(verify_proc.get())); - } - main_request_context_->set_cert_verifier(cert_verifier_.get()); +#if defined(OS_CHROMEOS) + crypto::ScopedPK11Slot public_slot = + crypto::GetPublicSlotForChromeOSUser(username_hash_); + // The private slot won't be ready by this point. It shouldn't be necessary + // for cert trust purposes anyway. + scoped_refptr<net::CertVerifyProc> verify_proc( + new chromeos::CertVerifyProcChromeOS(public_slot.Pass())); + if (policy_cert_verifier_) { + DCHECK_EQ(policy_cert_verifier_, cert_verifier_.get()); + policy_cert_verifier_->InitializeOnIOThread(verify_proc); + } else { + cert_verifier_.reset( + new net::MultiThreadedCertVerifier(verify_proc.get())); + } + main_request_context_->set_cert_verifier(cert_verifier_.get()); #else - main_request_context_->set_cert_verifier( - io_thread_globals->cert_verifier.get()); + main_request_context_->set_cert_verifier( + io_thread_globals->cert_verifier.get()); #endif + } // Install the New Tab Page Interceptor. if (profile_params_->new_tab_page_interceptor.get()) { diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h index 3f9dbaf..a3a55b1 100644 --- a/chrome/browser/profiles/profile_io_data.h +++ b/chrome/browser/profiles/profile_io_data.h @@ -109,6 +109,9 @@ class ProfileIOData { net::URLRequestJobFactoryImpl* job_factory, content::ProtocolHandlerMap* protocol_handlers); + // Sets a global CertVerifier to use when initializing all profiles. + static void SetCertVerifierForTesting(net::CertVerifier* cert_verifier); + // Called by Profile. content::ResourceContext* GetResourceContext() const; @@ -550,8 +553,8 @@ class ProfileIOData { #if defined(OS_CHROMEOS) // Set to |cert_verifier_| if it references a PolicyCertVerifier. In that // case, the verifier is owned by |cert_verifier_|. Otherwise, set to NULL. - mutable policy::PolicyCertVerifier* policy_cert_verifier_; mutable scoped_ptr<net::CertVerifier> cert_verifier_; + mutable policy::PolicyCertVerifier* policy_cert_verifier_; mutable std::string username_hash_; mutable bool use_system_key_slot_; #endif diff --git a/chrome/browser/ssl/cert_verifier_browser_test.cc b/chrome/browser/ssl/cert_verifier_browser_test.cc new file mode 100644 index 0000000..5ec31c3 --- /dev/null +++ b/chrome/browser/ssl/cert_verifier_browser_test.cc @@ -0,0 +1,26 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chrome/browser/ssl/cert_verifier_browser_test.h" + +#include "chrome/browser/profiles/profile_io_data.h" +#include "net/cert/mock_cert_verifier.h" + +CertVerifierBrowserTest::CertVerifierBrowserTest() + : InProcessBrowserTest(), + mock_cert_verifier_(new net::MockCertVerifier()) {} + +CertVerifierBrowserTest::~CertVerifierBrowserTest() {} + +void CertVerifierBrowserTest::SetUpInProcessBrowserTestFixture() { + ProfileIOData::SetCertVerifierForTesting(mock_cert_verifier_.get()); +} + +void CertVerifierBrowserTest::TearDownInProcessBrowserTestFixture() { + ProfileIOData::SetCertVerifierForTesting(nullptr); +} + +net::MockCertVerifier* CertVerifierBrowserTest::mock_cert_verifier() { + return mock_cert_verifier_.get(); +} diff --git a/chrome/browser/ssl/cert_verifier_browser_test.h b/chrome/browser/ssl/cert_verifier_browser_test.h new file mode 100644 index 0000000..d5d977c --- /dev/null +++ b/chrome/browser/ssl/cert_verifier_browser_test.h @@ -0,0 +1,37 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_ +#define CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_ + +#include "base/memory/scoped_ptr.h" +#include "chrome/test/base/in_process_browser_test.h" + +namespace net { +class MockCertVerifier; +} // namespace net + +// CertVerifierBrowserTest allows tests to force certificate +// verification results for requests made with any profile's main +// request context (such as navigations). To do so, tests can use the +// MockCertVerifier exposed via +// CertVerifierBrowserTest::mock_cert_verifier(). +class CertVerifierBrowserTest : public InProcessBrowserTest { + public: + CertVerifierBrowserTest(); + ~CertVerifierBrowserTest() override; + + // InProcessBrowserTest: + void SetUpInProcessBrowserTestFixture() override; + void TearDownInProcessBrowserTestFixture() override; + + // Returns a pointer to the MockCertVerifier used by all profiles in + // this test. + net::MockCertVerifier* mock_cert_verifier(); + + private: + scoped_ptr<net::MockCertVerifier> mock_cert_verifier_; +}; + +#endif // CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_ diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc index 5a0891f..7391243 100644 --- a/chrome/browser/ssl/ssl_browser_tests.cc +++ b/chrome/browser/ssl/ssl_browser_tests.cc @@ -24,6 +24,7 @@ #include "chrome/browser/profiles/profile.h" #include "chrome/browser/ssl/cert_logger.pb.h" #include "chrome/browser/ssl/cert_report_helper.h" +#include "chrome/browser/ssl/cert_verifier_browser_test.h" #include "chrome/browser/ssl/certificate_error_report.h" #include "chrome/browser/ssl/certificate_reporting_test_utils.h" #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h" @@ -61,6 +62,7 @@ #include "net/base/net_errors.h" #include "net/base/test_data_directory.h" #include "net/cert/cert_status_flags.h" +#include "net/cert/mock_cert_verifier.h" #include "net/cert/x509_certificate.h" #include "net/ssl/ssl_info.h" #include "net/test/spawned_test_server/spawned_test_server.h" @@ -2280,6 +2282,26 @@ IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) { EXPECT_TRUE(VerifyIDNDecoded()); } +IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest, MockCertVerifierSmokeTest) { + net::SpawnedTestServer https_server( + net::SpawnedTestServer::TYPE_HTTPS, + net::SpawnedTestServer::SSLOptions( + net::SpawnedTestServer::SSLOptions::CERT_OK), + base::FilePath(kDocRoot)); + ASSERT_TRUE(https_server.Start()); + + mock_cert_verifier()->set_default_result( + net::ERR_CERT_NAME_CONSTRAINT_VIOLATION); + + ui_test_utils::NavigateToURL(browser(), + https_server.GetURL("files/ssl/google.html")); + + CheckSecurityState(browser()->tab_strip_model()->GetActiveWebContents(), + net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION, + content::SECURITY_STYLE_AUTHENTICATION_BROKEN, + AuthState::SHOWING_INTERSTITIAL); +} + // TODO(jcampan): more tests to do below. // Visit a page over https that contains a frame with a redirect. diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi index 96abb37..9262d92 100644 --- a/chrome/chrome_tests.gypi +++ b/chrome/chrome_tests.gypi @@ -403,6 +403,8 @@ 'browser/ssl/captive_portal_blocking_page_browsertest.cc', 'browser/ssl/certificate_reporting_test_utils.cc', 'browser/ssl/certificate_reporting_test_utils.h', + 'browser/ssl/cert_verifier_browser_test.cc', + 'browser/ssl/cert_verifier_browser_test.h', 'browser/ssl/chrome_ssl_host_state_delegate_test.cc', 'browser/ssl/ssl_browser_tests.cc', 'browser/ssl/ssl_client_certificate_selector_test.cc', |