// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/caching_cert_verifier.h" #include #include "base/files/file_path.h" #include "base/memory/ref_counted.h" #include "base/test/task_environment.h" #include "net/base/net_errors.h" #include "net/base/test_completion_callback.h" #include "net/cert/cert_database.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "net/log/net_log_with_source.h" #include "net/test/cert_test_util.h" #include "net/test/ct_test_util.h" #include "net/test/gtest_util.h" #include "net/test/test_data_directory.h" #include "net/test/test_with_task_environment.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" using net::test::IsError; using net::test::IsOk; using testing::_; using testing::Mock; using testing::Return; using testing::ReturnRef; namespace net { class CachingCertVerifierTest : public TestWithTaskEnvironment { public: CachingCertVerifierTest() : verifier_(std::make_unique()) {} ~CachingCertVerifierTest() override = default; protected: CachingCertVerifier verifier_; }; TEST_F(CachingCertVerifierTest, CacheHit) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr test_cert( ImportCertFromFile(certs_dir, "ok_cert.pem")); ASSERT_TRUE(test_cert.get()); int error; CertVerifyResult verify_result; TestCompletionCallback callback; std::unique_ptr request; error = callback.GetResult(verifier_.Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource())); ASSERT_TRUE(IsCertificateError(error)); ASSERT_EQ(1u, verifier_.requests()); ASSERT_EQ(0u, verifier_.cache_hits()); ASSERT_EQ(1u, verifier_.GetCacheSize()); error = verifier_.Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); // Synchronous completion. ASSERT_NE(ERR_IO_PENDING, error); ASSERT_TRUE(IsCertificateError(error)); ASSERT_FALSE(request); ASSERT_EQ(2u, verifier_.requests()); ASSERT_EQ(1u, verifier_.cache_hits()); ASSERT_EQ(1u, verifier_.GetCacheSize()); } TEST_F(CachingCertVerifierTest, CacheHitCTResultsCached) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr test_cert( ImportCertFromFile(certs_dir, "ok_cert.pem")); ASSERT_TRUE(test_cert.get()); auto cert_verifier = std::make_unique(); // Mock the cert verification and CT verification results. CertVerifyResult mock_result; mock_result.cert_status = OK; mock_result.verified_cert = test_cert; scoped_refptr sct; ct::GetX509CertSCT(&sct); SignedCertificateTimestampAndStatus sct_and_status(sct, ct::SCT_STATUS_OK); SignedCertificateTimestampAndStatusList sct_list{sct_and_status}; mock_result.scts = sct_list; cert_verifier->AddResultForCert(test_cert, mock_result, OK); // We don't use verifier_ here because we needed to call AddResultForCert from // the mock verifier. CachingCertVerifier cache_verifier(std::move(cert_verifier)); int result; CertVerifyResult verify_result; TestCompletionCallback callback; std::unique_ptr request; result = callback.GetResult(cache_verifier.Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource())); ASSERT_EQ(OK, result); ASSERT_EQ(1u, verify_result.scts.size()); ASSERT_EQ(ct::SCT_STATUS_OK, verify_result.scts[0].status); ASSERT_EQ(1u, cache_verifier.requests()); ASSERT_EQ(0u, cache_verifier.cache_hits()); ASSERT_EQ(1u, cache_verifier.GetCacheSize()); result = cache_verifier.Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); // Synchronous completion. ASSERT_EQ(OK, result); ASSERT_FALSE(request); ASSERT_EQ(1u, verify_result.scts.size()); ASSERT_EQ(ct::SCT_STATUS_OK, verify_result.scts[0].status); ASSERT_EQ(2u, cache_verifier.requests()); ASSERT_EQ(1u, cache_verifier.cache_hits()); ASSERT_EQ(1u, cache_verifier.GetCacheSize()); } // Tests the same server certificate with different intermediate CA // certificates. These should be treated as different certificate chains even // though the two X509Certificate objects contain the same server certificate. TEST_F(CachingCertVerifierTest, DifferentCACerts) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr server_cert = ImportCertFromFile(certs_dir, "salesforce_com_test.pem"); ASSERT_TRUE(server_cert); scoped_refptr intermediate_cert1 = ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem"); ASSERT_TRUE(intermediate_cert1); scoped_refptr intermediate_cert2 = ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2016.pem"); ASSERT_TRUE(intermediate_cert2); std::vector> intermediates; intermediates.push_back(bssl::UpRef(intermediate_cert1->cert_buffer())); scoped_refptr cert_chain1 = X509Certificate::CreateFromBuffer(bssl::UpRef(server_cert->cert_buffer()), std::move(intermediates)); ASSERT_TRUE(cert_chain1); intermediates.clear(); intermediates.push_back(bssl::UpRef(intermediate_cert2->cert_buffer())); scoped_refptr cert_chain2 = X509Certificate::CreateFromBuffer(bssl::UpRef(server_cert->cert_buffer()), std::move(intermediates)); ASSERT_TRUE(cert_chain2); int error; CertVerifyResult verify_result; TestCompletionCallback callback; std::unique_ptr request; error = callback.GetResult(verifier_.Verify( CertVerifier::RequestParams(cert_chain1, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource())); ASSERT_TRUE(IsCertificateError(error)); ASSERT_EQ(1u, verifier_.requests()); ASSERT_EQ(0u, verifier_.cache_hits()); ASSERT_EQ(1u, verifier_.GetCacheSize()); error = callback.GetResult(verifier_.Verify( CertVerifier::RequestParams(cert_chain2, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource())); ASSERT_TRUE(IsCertificateError(error)); ASSERT_EQ(2u, verifier_.requests()); ASSERT_EQ(0u, verifier_.cache_hits()); ASSERT_EQ(2u, verifier_.GetCacheSize()); } TEST_F(CachingCertVerifierTest, ObserverIsForwarded) { auto mock_cert_verifier = std::make_unique(); MockCertVerifier* mock_cert_verifier_ptr = mock_cert_verifier.get(); CachingCertVerifier cache_verifier(std::move(mock_cert_verifier)); CertVerifierObserverCounter observer_(&cache_verifier); EXPECT_EQ(observer_.change_count(), 0u); // A CertVerifierChanged event on the wrapped verifier should be forwarded to // observers registered on CachingCertVerifier. mock_cert_verifier_ptr->SimulateOnCertVerifierChanged(); EXPECT_EQ(observer_.change_count(), 1u); } namespace { enum class ChangeType { kSetConfig, kCertVerifierChanged, kCertDBChanged, }; } // namespace class CachingCertVerifierCacheClearingTest : public testing::TestWithParam { public: CachingCertVerifierCacheClearingTest() { auto mock_cert_verifier = std::make_unique(); mock_verifier_ = mock_cert_verifier.get(); verifier_ = std::make_unique(std::move(mock_cert_verifier)); } ChangeType change_type() const { return GetParam(); } void DoCacheClearingAction() { switch (change_type()) { case ChangeType::kSetConfig: verifier_->SetConfig({}); break; case ChangeType::kCertVerifierChanged: mock_verifier_->SimulateOnCertVerifierChanged(); break; case ChangeType::kCertDBChanged: CertDatabase::GetInstance()->NotifyObserversTrustStoreChanged(); base::RunLoop().RunUntilIdle(); break; } } protected: base::test::SingleThreadTaskEnvironment task_environment_; std::unique_ptr verifier_; raw_ptr mock_verifier_; }; TEST_P(CachingCertVerifierCacheClearingTest, CacheClearedSyncVerification) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr test_cert( ImportCertFromFile(certs_dir, "ok_cert.pem")); ASSERT_TRUE(test_cert.get()); mock_verifier_->set_async(false); int error; CertVerifyResult verify_result; TestCompletionCallback callback; std::unique_ptr request; error = verifier_->Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); ASSERT_TRUE(IsCertificateError(error)); ASSERT_EQ(1u, verifier_->requests()); ASSERT_EQ(0u, verifier_->cache_hits()); ASSERT_EQ(1u, verifier_->GetCacheSize()); DoCacheClearingAction(); ASSERT_EQ(0u, verifier_->GetCacheSize()); error = verifier_->Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); ASSERT_TRUE(IsCertificateError(error)); ASSERT_FALSE(request); ASSERT_EQ(2u, verifier_->requests()); ASSERT_EQ(0u, verifier_->cache_hits()); ASSERT_EQ(1u, verifier_->GetCacheSize()); } TEST_P(CachingCertVerifierCacheClearingTest, CacheClearedAsyncVerification) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr test_cert( ImportCertFromFile(certs_dir, "ok_cert.pem")); ASSERT_TRUE(test_cert.get()); mock_verifier_->set_async(true); int error; CertVerifyResult verify_result; TestCompletionCallback callback; std::unique_ptr request; error = verifier_->Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); ASSERT_EQ(ERR_IO_PENDING, error); ASSERT_TRUE(request); ASSERT_EQ(1u, verifier_->requests()); ASSERT_EQ(0u, verifier_->cache_hits()); ASSERT_EQ(0u, verifier_->GetCacheSize()); DoCacheClearingAction(); ASSERT_EQ(0u, verifier_->GetCacheSize()); error = callback.WaitForResult(); ASSERT_TRUE(IsCertificateError(error)); // Async result should not have been cached since it was from a verification // started before the config changed. ASSERT_EQ(0u, verifier_->GetCacheSize()); error = verifier_->Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); ASSERT_EQ(ERR_IO_PENDING, error); ASSERT_TRUE(request); ASSERT_EQ(2u, verifier_->requests()); ASSERT_EQ(0u, verifier_->cache_hits()); ASSERT_EQ(0u, verifier_->GetCacheSize()); error = callback.WaitForResult(); ASSERT_TRUE(IsCertificateError(error)); // New async result should be cached since it was from a verification started // after the config changed. ASSERT_EQ(1u, verifier_->GetCacheSize()); // Verify again. Result should be synchronous this time since it will get the // cached result. error = verifier_->Verify( CertVerifier::RequestParams(test_cert, "www.example.com", 0, /*ocsp_response=*/std::string(), /*sct_list=*/std::string()), &verify_result, callback.callback(), &request, NetLogWithSource()); ASSERT_TRUE(IsCertificateError(error)); ASSERT_FALSE(request); ASSERT_EQ(3u, verifier_->requests()); ASSERT_EQ(1u, verifier_->cache_hits()); ASSERT_EQ(1u, verifier_->GetCacheSize()); } INSTANTIATE_TEST_SUITE_P(All, CachingCertVerifierCacheClearingTest, testing::Values(ChangeType::kSetConfig, ChangeType::kCertVerifierChanged, ChangeType::kCertDBChanged)); } // namespace net