1 // Copyright 2018 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "services/network/ssl_config_service_mojo.h"
6
7 #include "base/files/file_util.h"
8 #include "base/run_loop.h"
9 #include "base/stl_util.h"
10 #include "base/test/task_environment.h"
11 #include "build/build_config.h"
12 #include "crypto/sha2.h"
13 #include "mojo/public/cpp/bindings/remote.h"
14 #include "net/base/test_completion_callback.h"
15 #include "net/cert/asn1_util.h"
16 #include "net/cert/cert_verifier.h"
17 #include "net/cert/cert_verify_result.h"
18 #include "net/cert/crl_set.h"
19 #include "net/cert/test_root_certs.h"
20 #include "net/cert/x509_certificate.h"
21 #include "net/cert/x509_util.h"
22 #include "net/log/net_log_with_source.h"
23 #include "net/ssl/ssl_config.h"
24 #include "net/ssl/ssl_config_service.h"
25 #include "net/test/cert_test_util.h"
26 #include "net/test/gtest_util.h"
27 #include "net/test/test_data_directory.h"
28 #include "net/url_request/url_request_context.h"
29 #include "services/network/network_context.h"
30 #include "services/network/network_service.h"
31 #include "services/network/public/mojom/network_service.mojom.h"
32 #include "services/network/public/mojom/ssl_config.mojom.h"
33 #include "testing/gmock/include/gmock/gmock.h"
34 #include "testing/gtest/include/gtest/gtest.h"
35
36 namespace network {
37 namespace {
38
39 class TestSSLConfigServiceObserver : public net::SSLConfigService::Observer {
40 public:
TestSSLConfigServiceObserver(net::SSLConfigService * ssl_config_service)41 explicit TestSSLConfigServiceObserver(
42 net::SSLConfigService* ssl_config_service)
43 : ssl_config_service_(ssl_config_service) {
44 ssl_config_service_->AddObserver(this);
45 }
46
~TestSSLConfigServiceObserver()47 ~TestSSLConfigServiceObserver() override {
48 EXPECT_EQ(observed_changes_, changes_to_wait_for_);
49 ssl_config_service_->RemoveObserver(this);
50 }
51
52 // net::SSLConfigService::Observer implementation:
OnSSLContextConfigChanged()53 void OnSSLContextConfigChanged() override {
54 ++observed_changes_;
55 ssl_context_config_during_change_ =
56 ssl_config_service_->GetSSLContextConfig();
57 if (run_loop_)
58 run_loop_->Quit();
59 }
60
61 // Waits for a SSLContextConfig change. The first time it's called, waits for
62 // the first change, if one hasn't been observed already, the second time,
63 // waits for the second, etc. Must be called once for each change that
64 // happens, and fails if more than once change happens between calls, or
65 // during a call.
WaitForChange()66 void WaitForChange() {
67 EXPECT_FALSE(run_loop_);
68 ++changes_to_wait_for_;
69 if (changes_to_wait_for_ == observed_changes_)
70 return;
71 EXPECT_LT(observed_changes_, changes_to_wait_for_);
72
73 run_loop_ = std::make_unique<base::RunLoop>();
74 run_loop_->Run();
75 run_loop_.reset();
76 EXPECT_EQ(observed_changes_, changes_to_wait_for_);
77 }
78
ssl_context_config_during_change() const79 const net::SSLContextConfig& ssl_context_config_during_change() const {
80 return ssl_context_config_during_change_;
81 }
82
observed_changes() const83 int observed_changes() const { return observed_changes_; }
84
85 private:
86 net::SSLConfigService* const ssl_config_service_;
87 int observed_changes_ = 0;
88 int changes_to_wait_for_ = 0;
89 net::SSLContextConfig ssl_context_config_during_change_;
90 std::unique_ptr<base::RunLoop> run_loop_;
91 };
92
93 class TestCertVerifierConfigObserver : public net::CertVerifier {
94 public:
95 TestCertVerifierConfigObserver() = default;
~TestCertVerifierConfigObserver()96 ~TestCertVerifierConfigObserver() override {
97 EXPECT_EQ(observed_changes_, changes_to_wait_for_);
98 }
99
100 // CertVerifier implementation:
Verify(const net::CertVerifier::RequestParams & params,net::CertVerifyResult * verify_result,net::CompletionOnceCallback callback,std::unique_ptr<net::CertVerifier::Request> * out_req,const net::NetLogWithSource & net_log)101 int Verify(const net::CertVerifier::RequestParams& params,
102 net::CertVerifyResult* verify_result,
103 net::CompletionOnceCallback callback,
104 std::unique_ptr<net::CertVerifier::Request>* out_req,
105 const net::NetLogWithSource& net_log) override {
106 ADD_FAILURE() << "Verify should not be called by tests";
107 return net::ERR_FAILED;
108 }
SetConfig(const Config & config)109 void SetConfig(const Config& config) override {
110 ++observed_changes_;
111 verifier_config_during_change_ = config;
112 if (run_loop_)
113 run_loop_->Quit();
114 }
115
116 // Waits for a SSLConfig change. The first time it's called, waits for the
117 // first change, if one hasn't been observed already, the second time, waits
118 // for the second, etc. Must be called once for each change that happens, and
119 // fails it more than once change happens between calls, or during a call.
WaitForChange()120 void WaitForChange() {
121 EXPECT_FALSE(run_loop_);
122 ++changes_to_wait_for_;
123 if (changes_to_wait_for_ == observed_changes_)
124 return;
125 EXPECT_LT(observed_changes_, changes_to_wait_for_);
126
127 run_loop_ = std::make_unique<base::RunLoop>();
128 run_loop_->Run();
129 run_loop_.reset();
130 EXPECT_EQ(observed_changes_, changes_to_wait_for_);
131 }
132
verifier_config_during_change() const133 const net::CertVerifier::Config& verifier_config_during_change() const {
134 return verifier_config_during_change_;
135 }
136
observed_changes() const137 int observed_changes() const { return observed_changes_; }
138
139 private:
140 int observed_changes_ = 0;
141 int changes_to_wait_for_ = 0;
142 net::CertVerifier::Config verifier_config_during_change_;
143 std::unique_ptr<base::RunLoop> run_loop_;
144 };
145
146 class NetworkServiceSSLConfigServiceTest : public testing::Test {
147 public:
NetworkServiceSSLConfigServiceTest()148 NetworkServiceSSLConfigServiceTest()
149 : task_environment_(base::test::TaskEnvironment::MainThreadType::IO),
150 network_service_(NetworkService::CreateForTesting()) {}
~NetworkServiceSSLConfigServiceTest()151 ~NetworkServiceSSLConfigServiceTest() override {
152 NetworkContext::SetCertVerifierForTesting(nullptr);
153 }
154
155 // Creates a NetworkContext using the specified NetworkContextParams, and
156 // stores it in |network_context_|.
SetUpNetworkContext(mojom::NetworkContextParamsPtr network_context_params)157 void SetUpNetworkContext(
158 mojom::NetworkContextParamsPtr network_context_params) {
159 ssl_config_client_.reset();
160 network_context_params->ssl_config_client_receiver =
161 ssl_config_client_.BindNewPipeAndPassReceiver();
162 network_context_remote_.reset();
163 network_context_ = std::make_unique<NetworkContext>(
164 network_service_.get(),
165 network_context_remote_.BindNewPipeAndPassReceiver(),
166 std::move(network_context_params));
167 }
168
169 // Returns the current SSLContextConfig for |network_context_|.
GetSSLContextConfig()170 net::SSLContextConfig GetSSLContextConfig() {
171 return network_context_->url_request_context()
172 ->ssl_config_service()
173 ->GetSSLContextConfig();
174 }
175
176 // Runs two conversion tests for |mojo_config|. Uses it as a initial
177 // SSLConfig for a NetworkContext, making sure it matches
178 // |expected_net_config|. Then switches to the default configuration and then
179 // back to |mojo_config|, to make sure it works as a new configuration. The
180 // expected configuration must not be the default configuration.
RunConversionTests(const mojom::SSLConfig & mojo_config,const net::SSLContextConfig & expected_net_config)181 void RunConversionTests(const mojom::SSLConfig& mojo_config,
182 const net::SSLContextConfig& expected_net_config) {
183 // The expected configuration must not be the default configuration, or the
184 // change test won't send an event.
185 EXPECT_FALSE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
186 net::SSLContextConfig(), expected_net_config));
187
188 // Set up |mojo_config| as the initial configuration of a NetworkContext.
189 mojom::NetworkContextParamsPtr network_context_params =
190 mojom::NetworkContextParams::New();
191 network_context_params->initial_ssl_config = mojo_config.Clone();
192 SetUpNetworkContext(std::move(network_context_params));
193 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
194 GetSSLContextConfig(), expected_net_config));
195 // Sanity check.
196 EXPECT_FALSE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
197 GetSSLContextConfig(), net::SSLContextConfig()));
198
199 // Reset the configuration to the default ones, and check the results.
200 TestSSLConfigServiceObserver observer(
201 network_context_->url_request_context()->ssl_config_service());
202 ssl_config_client_->OnSSLConfigUpdated(mojom::SSLConfig::New());
203 observer.WaitForChange();
204 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
205 GetSSLContextConfig(), net::SSLContextConfig()));
206 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
207 observer.ssl_context_config_during_change(), net::SSLContextConfig()));
208 // Sanity check.
209 EXPECT_FALSE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
210 GetSSLContextConfig(), expected_net_config));
211
212 // Set the configuration to |mojo_config| again, and check the results.
213 ssl_config_client_->OnSSLConfigUpdated(mojo_config.Clone());
214 observer.WaitForChange();
215 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
216 GetSSLContextConfig(), expected_net_config));
217 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
218 observer.ssl_context_config_during_change(), expected_net_config));
219 }
220
221 // Runs two conversion tests for |mojo_config|. Uses it as an initial
222 // net::CertVerifier::Config for a NetworkContext, making sure it matches
223 // |expected_net_config|. Then switches to the default configuration and then
224 // back to |mojo_config|, to make sure it works as a new configuration. The
225 // expected configuration must not be the default configuration.
RunCertConversionTests(const mojom::SSLConfig & mojo_config,const net::CertVerifier::Config & expected_net_config)226 void RunCertConversionTests(
227 const mojom::SSLConfig& mojo_config,
228 const net::CertVerifier::Config& expected_net_config) {
229 TestCertVerifierConfigObserver observer;
230 NetworkContext::SetCertVerifierForTesting(&observer);
231
232 EXPECT_NE(net::CertVerifier::Config(), expected_net_config);
233
234 // Set up |mojo_config| as the initial configuration of a NetworkContext.
235 mojom::NetworkContextParamsPtr network_context_params =
236 mojom::NetworkContextParams::New();
237 network_context_params->initial_ssl_config = mojo_config.Clone();
238 SetUpNetworkContext(std::move(network_context_params));
239
240 // Make sure the initial configuration is set.
241 observer.WaitForChange();
242 EXPECT_EQ(observer.verifier_config_during_change(), expected_net_config);
243 // Sanity check.
244 EXPECT_NE(observer.verifier_config_during_change(),
245 net::CertVerifier::Config());
246
247 // Reset the configuration to the default ones, and check the results.
248 ssl_config_client_->OnSSLConfigUpdated(mojom::SSLConfig::New());
249 observer.WaitForChange();
250 EXPECT_EQ(observer.verifier_config_during_change(),
251 net::CertVerifier::Config());
252 // Sanity check.
253 EXPECT_NE(observer.verifier_config_during_change(), expected_net_config);
254
255 // Set the configuration to |mojo_config| again, and check the results.
256 ssl_config_client_->OnSSLConfigUpdated(mojo_config.Clone());
257 observer.WaitForChange();
258 EXPECT_EQ(observer.verifier_config_during_change(), expected_net_config);
259
260 // Reset the CertVerifier for subsequent invocations.
261 NetworkContext::SetCertVerifierForTesting(nullptr);
262 }
263
264 protected:
265 base::test::TaskEnvironment task_environment_;
266 std::unique_ptr<NetworkService> network_service_;
267 mojo::Remote<mojom::SSLConfigClient> ssl_config_client_;
268 mojo::Remote<mojom::NetworkContext> network_context_remote_;
269 std::unique_ptr<NetworkContext> network_context_;
270 };
271
272 // Check that passing in a no mojom::SSLConfig matches the default
273 // net::SSLConfig.
TEST_F(NetworkServiceSSLConfigServiceTest,NoSSLConfig)274 TEST_F(NetworkServiceSSLConfigServiceTest, NoSSLConfig) {
275 SetUpNetworkContext(mojom::NetworkContextParams::New());
276 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
277 GetSSLContextConfig(), net::SSLContextConfig()));
278
279 // Make sure the default TLS version range is as expected.
280 EXPECT_EQ(net::kDefaultSSLVersionMin, GetSSLContextConfig().version_min);
281 EXPECT_EQ(net::kDefaultSSLVersionMax, GetSSLContextConfig().version_max);
282 }
283
284 // Check that passing in the default mojom::SSLConfig matches the default
285 // net::SSLConfig.
TEST_F(NetworkServiceSSLConfigServiceTest,Default)286 TEST_F(NetworkServiceSSLConfigServiceTest, Default) {
287 mojom::NetworkContextParamsPtr network_context_params =
288 mojom::NetworkContextParams::New();
289 network_context_params->initial_ssl_config = mojom::SSLConfig::New();
290 SetUpNetworkContext(std::move(network_context_params));
291 EXPECT_TRUE(net::SSLConfigService::SSLContextConfigsAreEqualForTesting(
292 GetSSLContextConfig(), net::SSLContextConfig()));
293
294 // Make sure the default TLS version range is as expected.
295 EXPECT_EQ(net::kDefaultSSLVersionMin, GetSSLContextConfig().version_min);
296 EXPECT_EQ(net::kDefaultSSLVersionMax, GetSSLContextConfig().version_max);
297 }
298
299 // Check that passing in the default mojom::SSLConfig matches the default
300 // net::CertVerifier::Config.
TEST_F(NetworkServiceSSLConfigServiceTest,DefaultCertConfig)301 TEST_F(NetworkServiceSSLConfigServiceTest, DefaultCertConfig) {
302 TestCertVerifierConfigObserver observer;
303 NetworkContext::SetCertVerifierForTesting(&observer);
304
305 mojom::NetworkContextParamsPtr network_context_params =
306 mojom::NetworkContextParams::New();
307 network_context_params->initial_ssl_config = mojom::SSLConfig::New();
308 SetUpNetworkContext(std::move(network_context_params));
309
310 observer.WaitForChange();
311
312 net::CertVerifier::Config default_config;
313 EXPECT_EQ(observer.verifier_config_during_change(), default_config);
314
315 NetworkContext::SetCertVerifierForTesting(nullptr);
316 }
317
TEST_F(NetworkServiceSSLConfigServiceTest,RevCheckingEnabled)318 TEST_F(NetworkServiceSSLConfigServiceTest, RevCheckingEnabled) {
319 net::CertVerifier::Config expected_net_config;
320 // Use the opposite of the default value.
321 expected_net_config.enable_rev_checking =
322 !expected_net_config.enable_rev_checking;
323
324 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
325 mojo_config->rev_checking_enabled = expected_net_config.enable_rev_checking;
326
327 RunCertConversionTests(*mojo_config, expected_net_config);
328 }
329
TEST_F(NetworkServiceSSLConfigServiceTest,RevCheckingRequiredLocalTrustAnchors)330 TEST_F(NetworkServiceSSLConfigServiceTest,
331 RevCheckingRequiredLocalTrustAnchors) {
332 net::CertVerifier::Config expected_net_config;
333 // Use the opposite of the default value.
334 expected_net_config.require_rev_checking_local_anchors =
335 !expected_net_config.require_rev_checking_local_anchors;
336
337 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
338 mojo_config->rev_checking_required_local_anchors =
339 expected_net_config.require_rev_checking_local_anchors;
340
341 RunCertConversionTests(*mojo_config, expected_net_config);
342 }
343
TEST_F(NetworkServiceSSLConfigServiceTest,Sha1LocalAnchorsEnabled)344 TEST_F(NetworkServiceSSLConfigServiceTest, Sha1LocalAnchorsEnabled) {
345 net::CertVerifier::Config expected_net_config;
346 // Use the opposite of the default value.
347 expected_net_config.enable_sha1_local_anchors =
348 !expected_net_config.enable_sha1_local_anchors;
349
350 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
351 mojo_config->sha1_local_anchors_enabled =
352 expected_net_config.enable_sha1_local_anchors;
353
354 RunCertConversionTests(*mojo_config, expected_net_config);
355 }
356
TEST_F(NetworkServiceSSLConfigServiceTest,SymantecEnforcementDisabled)357 TEST_F(NetworkServiceSSLConfigServiceTest, SymantecEnforcementDisabled) {
358 net::CertVerifier::Config expected_net_config;
359 // Use the opposite of the default value.
360 expected_net_config.disable_symantec_enforcement =
361 !expected_net_config.disable_symantec_enforcement;
362
363 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
364 mojo_config->symantec_enforcement_disabled =
365 expected_net_config.disable_symantec_enforcement;
366
367 RunCertConversionTests(*mojo_config, expected_net_config);
368 }
369
TEST_F(NetworkServiceSSLConfigServiceTest,SSLVersion)370 TEST_F(NetworkServiceSSLConfigServiceTest, SSLVersion) {
371 const struct {
372 mojom::SSLVersion mojo_ssl_version;
373 int net_ssl_version;
374 } kVersionTable[] = {
375 {mojom::SSLVersion::kTLS1, net::SSL_PROTOCOL_VERSION_TLS1},
376 {mojom::SSLVersion::kTLS11, net::SSL_PROTOCOL_VERSION_TLS1_1},
377 {mojom::SSLVersion::kTLS12, net::SSL_PROTOCOL_VERSION_TLS1_2},
378 {mojom::SSLVersion::kTLS13, net::SSL_PROTOCOL_VERSION_TLS1_3},
379 };
380
381 for (size_t min_index = 0; min_index < base::size(kVersionTable);
382 ++min_index) {
383 for (size_t max_index = min_index; max_index < base::size(kVersionTable);
384 ++max_index) {
385 // If the versions match the default values, skip this value in the table.
386 // The defaults will get plenty of testing anyways, when switching back to
387 // the default values in RunConversionTests().
388 if (kVersionTable[min_index].net_ssl_version ==
389 net::SSLContextConfig().version_min &&
390 kVersionTable[max_index].net_ssl_version ==
391 net::SSLContextConfig().version_max) {
392 continue;
393 }
394 net::SSLContextConfig expected_net_config;
395 expected_net_config.version_min =
396 kVersionTable[min_index].net_ssl_version;
397 expected_net_config.version_max =
398 kVersionTable[max_index].net_ssl_version;
399
400 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
401 mojo_config->version_min = kVersionTable[min_index].mojo_ssl_version;
402 mojo_config->version_max = kVersionTable[max_index].mojo_ssl_version;
403
404 RunConversionTests(*mojo_config, expected_net_config);
405 }
406 }
407 }
408
TEST_F(NetworkServiceSSLConfigServiceTest,InitialConfigDisableCipherSuite)409 TEST_F(NetworkServiceSSLConfigServiceTest, InitialConfigDisableCipherSuite) {
410 net::SSLContextConfig expected_net_config;
411 expected_net_config.disabled_cipher_suites.push_back(0x0004);
412
413 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
414 mojo_config->disabled_cipher_suites =
415 expected_net_config.disabled_cipher_suites;
416
417 RunConversionTests(*mojo_config, expected_net_config);
418 }
419
TEST_F(NetworkServiceSSLConfigServiceTest,InitialConfigDisableTwoCipherSuites)420 TEST_F(NetworkServiceSSLConfigServiceTest,
421 InitialConfigDisableTwoCipherSuites) {
422 net::SSLContextConfig expected_net_config;
423 expected_net_config.disabled_cipher_suites.push_back(0x0004);
424 expected_net_config.disabled_cipher_suites.push_back(0x0005);
425
426 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
427 mojo_config->disabled_cipher_suites =
428 expected_net_config.disabled_cipher_suites;
429
430 RunConversionTests(*mojo_config, expected_net_config);
431 }
432
TEST_F(NetworkServiceSSLConfigServiceTest,InitialConfigTLS13Hardening)433 TEST_F(NetworkServiceSSLConfigServiceTest, InitialConfigTLS13Hardening) {
434 net::SSLContextConfig expected_net_config;
435 expected_net_config.tls13_hardening_for_local_anchors_enabled = true;
436
437 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
438 mojo_config->tls13_hardening_for_local_anchors_enabled = true;
439
440 RunConversionTests(*mojo_config, expected_net_config);
441 }
442
TEST_F(NetworkServiceSSLConfigServiceTest,CanShareConnectionWithClientCerts)443 TEST_F(NetworkServiceSSLConfigServiceTest, CanShareConnectionWithClientCerts) {
444 // Create a default NetworkContext and test that
445 // CanShareConnectionWithClientCerts returns false.
446 SetUpNetworkContext(mojom::NetworkContextParams::New());
447
448 net::SSLConfigService* config_service =
449 network_context_->url_request_context()->ssl_config_service();
450
451 EXPECT_FALSE(
452 config_service->CanShareConnectionWithClientCerts("example.com"));
453 EXPECT_FALSE(
454 config_service->CanShareConnectionWithClientCerts("example.net"));
455
456 // Configure policy to allow example.com (but no subdomains), and example.net
457 // (including subdomains), update the config, and test that pooling is allowed
458 // with this policy.
459 mojom::SSLConfigPtr mojo_config = mojom::SSLConfig::New();
460 mojo_config->client_cert_pooling_policy = {".example.com", "example.net"};
461
462 TestSSLConfigServiceObserver observer(config_service);
463 ssl_config_client_->OnSSLConfigUpdated(std::move(mojo_config));
464 observer.WaitForChange();
465
466 EXPECT_TRUE(config_service->CanShareConnectionWithClientCerts("example.com"));
467 EXPECT_FALSE(
468 config_service->CanShareConnectionWithClientCerts("sub.example.com"));
469
470 EXPECT_TRUE(config_service->CanShareConnectionWithClientCerts("example.net"));
471 EXPECT_TRUE(
472 config_service->CanShareConnectionWithClientCerts("sub.example.net"));
473 EXPECT_TRUE(
474 config_service->CanShareConnectionWithClientCerts("sub.sub.example.net"));
475 EXPECT_FALSE(
476 config_service->CanShareConnectionWithClientCerts("notexample.net"));
477
478 EXPECT_FALSE(
479 config_service->CanShareConnectionWithClientCerts("example.org"));
480
481 // Reset the configuration to the default and check that pooling is no longer
482 // allowed.
483 ssl_config_client_->OnSSLConfigUpdated(mojom::SSLConfig::New());
484 observer.WaitForChange();
485
486 EXPECT_FALSE(
487 config_service->CanShareConnectionWithClientCerts("example.com"));
488 EXPECT_FALSE(
489 config_service->CanShareConnectionWithClientCerts("example.net"));
490 }
491
492 #if !defined(OS_IOS) && !defined(OS_ANDROID)
TEST_F(NetworkServiceSSLConfigServiceTest,CRLSetIsApplied)493 TEST_F(NetworkServiceSSLConfigServiceTest, CRLSetIsApplied) {
494 SetUpNetworkContext(mojom::NetworkContextParams::New());
495
496 SSLConfigServiceMojo* config_service = static_cast<SSLConfigServiceMojo*>(
497 network_context_->url_request_context()->ssl_config_service());
498
499 scoped_refptr<net::X509Certificate> root_cert =
500 net::CreateCertificateChainFromFile(
501 net::GetTestCertsDirectory(), "root_ca_cert.pem",
502 net::X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
503 ASSERT_TRUE(root_cert);
504 net::ScopedTestRoot test_root(root_cert.get());
505
506 scoped_refptr<net::X509Certificate> cert =
507 net::CreateCertificateChainFromFile(
508 net::GetTestCertsDirectory(), "ok_cert.pem",
509 net::X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
510 ASSERT_TRUE(cert);
511
512 // Ensure that |cert| is trusted without any CRLSet explicitly configured.
513 net::TestCompletionCallback callback1;
514 net::CertVerifyResult cert_verify_result1;
515 std::unique_ptr<net::CertVerifier::Request> request1;
516 int result = network_context_->url_request_context()->cert_verifier()->Verify(
517 net::CertVerifier::RequestParams(cert, "127.0.0.1",
518 /*flags=*/0,
519 /*ocsp_response=*/std::string(),
520 /*sct_list=*/std::string()),
521 &cert_verify_result1, callback1.callback(), &request1,
522 net::NetLogWithSource());
523 ASSERT_THAT(callback1.GetResult(result), net::test::IsOk());
524
525 // Configure an explicit CRLSet that removes trust in |leaf_cert| by SPKI.
526 base::StringPiece spki;
527 ASSERT_TRUE(net::asn1::ExtractSPKIFromDERCert(
528 net::x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()),
529 &spki));
530 net::SHA256HashValue spki_sha256;
531 crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data));
532
533 config_service->OnNewCRLSet(net::CRLSet::ForTesting(
534 false, &spki_sha256, cert->serial_number(), "", {}));
535
536 // Ensure that |cert| is revoked, due to the CRLSet being applied.
537 net::TestCompletionCallback callback2;
538 net::CertVerifyResult cert_verify_result2;
539 std::unique_ptr<net::CertVerifier::Request> request2;
540 result = network_context_->url_request_context()->cert_verifier()->Verify(
541 net::CertVerifier::RequestParams(cert, "127.0.0.1",
542 /*flags=*/0,
543 /*ocsp_response=*/std::string(),
544 /*sct_list=*/std::string()),
545 &cert_verify_result2, callback2.callback(), &request2,
546 net::NetLogWithSource());
547 ASSERT_THAT(callback2.GetResult(result),
548 net::test::IsError(net::ERR_CERT_REVOKED));
549 }
550
551 #endif // !defined(OS_IOS) && !defined(OS_ANDROID)
552
553 } // namespace
554 } // namespace network
555