Certificate Transparency: Correct month calculation.

net/cert/cert_policy_enforcer_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_policy_enforcer.h"
 
 #include <string>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/version.h"
@@ skipping 49 matching lines @@
       int num_scts,
       ct::CTVerifyResult* result) {
     for (int i = 0; i < num_scts; ++i) {
       scoped_refptr<ct::SignedCertificateTimestamp> sct(
           new ct::SignedCertificateTimestamp());
       sct->origin = desired_origin;
       result->verified_scts.push_back(sct);
     }
   }
 
+  void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
+      const base::Time& start,
+      const base::Time& end,
+      size_t required_scts) {
+    scoped_refptr<X509Certificate> cert(
+        new X509Certificate("subject", "issuer", start, end));
+    ct::CTVerifyResult result;
+    for (size_t i = 0; i < required_scts - 1; ++i) {
+      FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
+                                 1, &result);
+      EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
+          cert.get(), nullptr, result, BoundNetLog()))
+          << " for: " << (end - start).InDays() << " and " << required_scts
+          << " scts=" << result.verified_scts.size() << " i=" << i;
+    }
+    FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+                               &result);
+    EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
+        cert.get(), nullptr, result, BoundNetLog()))
+        << " for: " << (end - start).InDays() << " and " << required_scts
+        << " scts=" << result.verified_scts.size();
+  }
+
  protected:
   scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
   scoped_refptr<X509Certificate> chain_;
 };
 
 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
 
@@ skipping 53 matching lines @@
       no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), whitelist.get(), result, BoundNetLog()));
 }
 
 TEST_F(CertPolicyEnforcerTest,
        ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
-  // Test multiple validity periods: Over 27 months, Over 15 months (but less
-  // than 27 months),
-  // Less than 15 months.
-  const size_t validity_period[] = {12, 19, 30, 50};
-  const size_t needed_scts[] = {2, 3, 4, 5};
+  // Test multiple validity periods:
+  // Under 15 months
+  // Over 15 months, less than 27 months
+  // Over 27 months, less than 39 months
+  // Over 39 months

[davidben, 2015/03/25 19:10:11]

This list in the comment seems to be slightly out of date now. Perhaps just
remove it?

[Eran Messeri, 2015/03/26 10:47:17]

Done.

+  const struct TestData {
+    base::Time validity_start;
+    base::Time validity_end;
+    size_t scts_required;
+  } kTestData[] = {{// 14 months, need 2

[davidben, 2015/03/25 19:10:11]

Oh clang-format. :-/ I don't know how to convince it to indent that better
though, so I suppose we can leave it.

[Eran Messeri, 2015/03/26 10:47:17]

Yes, clang-format. While I don't like it either myself, consistency wins in this
case.

+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
+                    2},
+                   {// exactly 15 months, need 3

[davidben, 2015/03/25 19:10:11]

Nit: They're not really complete sentences, but better to  capitalize the first
letter anyway. I'd also end with a period.

[Eran Messeri, 2015/03/26 10:47:18]

Done.

+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
+                    3},
+                   {// over 15 months by a few days, need 3
+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
+                    3},
+                   {// exactly 27 months, need 3
+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
+                    3},
+                   {// over 27 months by a few days, need 4
+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
+                    4},
+                   {// exactly 39 months, need 4
+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
+                    4},
+                   {// over 39 months by a few days, need 5
+                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+                    base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
+                    5}};
 
-  for (int i = 0; i < 3; ++i) {
-    size_t curr_validity = validity_period[i];
-    scoped_refptr<X509Certificate> cert(new X509Certificate(
-        "subject", "issuer", base::Time::Now(),
-        base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));
-    size_t curr_required_scts = needed_scts[i];
-    ct::CTVerifyResult result;
-    for (size_t j = 0; j < curr_required_scts - 1; ++j) {
-      FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
-                                 1, &result);
-      EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-          cert.get(), nullptr, result, BoundNetLog()))
-          << " for: " << curr_validity << " and " << curr_required_scts
-          << " scts=" << result.verified_scts.size() << " j=" << j;
-    }
-    FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
-                               &result);
-    EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-        cert.get(), nullptr, result, BoundNetLog()));
+  for (size_t i = 0; i < arraysize(kTestData); ++i) {

[davidben, 2015/03/25 19:10:11]

Still would prefer adding the SCOPED_TRACE. It's in the EXPECT_* output, but
this way you don't need to go back and do arithmetic and search for which one it
was.

[Eran Messeri, 2015/03/26 10:47:17]

Done.

+    CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
+        kTestData[i].validity_start, kTestData[i].validity_end,
+        kTestData[i].scts_required);
   }
 }
 
 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
 
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
@@ skipping 16 matching lines @@
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), nullptr, result, BoundNetLog()));
 }
 
 }  // namespace
 
 }  // namespace net