net/cert/cert_policy_enforcer_unittest.cc - Issue 1032093002: Certificate Transparency: Correct month calculation.

Side by Side Diff: net/cert/cert_policy_enforcer_unittest.cc

Issue 1032093002: Certificate Transparency: Correct month calculation. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressing davidben's comments Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_policy_enforcer.h"	5 #include "net/cert/cert_policy_enforcer.h"

6	6

7 #include <string>	7 #include <string>

8	8

9 #include "base/memory/scoped_ptr.h"	9 #include "base/memory/scoped_ptr.h"

10 #include "base/version.h"	10 #include "base/version.h"

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
60 int num_scts,	60 int num_scts,

61 ct::CTVerifyResult* result) {	61 ct::CTVerifyResult* result) {

62 for (int i = 0; i < num_scts; ++i) {	62 for (int i = 0; i < num_scts; ++i) {

63 scoped_refptr<ct::SignedCertificateTimestamp> sct(	63 scoped_refptr<ct::SignedCertificateTimestamp> sct(

64 new ct::SignedCertificateTimestamp());	64 new ct::SignedCertificateTimestamp());

65 sct->origin = desired_origin;	65 sct->origin = desired_origin;

66 result->verified_scts.push_back(sct);	66 result->verified_scts.push_back(sct);

67 }	67 }

68 }	68 }

69	69

	70 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(

	71 const base::Time& start,

	72 const base::Time& end,

	73 size_t required_scts) {

	74 scoped_refptr<X509Certificate> cert(

	75 new X509Certificate("subject", "issuer", start, end));

	76 ct::CTVerifyResult result;

	77 for (size_t i = 0; i < required_scts - 1; ++i) {

	78 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,

	79 1, &result);

	80 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

	81 cert.get(), nullptr, result, BoundNetLog()))

	82 << " for: " << (end - start).InDays() << " and " << required_scts

	83 << " scts=" << result.verified_scts.size() << " i=" << i;

	84 }

	85 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

	86 &result);

	87 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

	88 cert.get(), nullptr, result, BoundNetLog()))

	89 << " for: " << (end - start).InDays() << " and " << required_scts

	90 << " scts=" << result.verified_scts.size();

	91 }

	92

70 protected:	93 protected:

71 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;	94 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;

72 scoped_refptr<X509Certificate> chain_;	95 scoped_refptr<X509Certificate> chain_;

73 };	96 };

74	97

75 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {	98 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {

76 ct::CTVerifyResult result;	99 ct::CTVerifyResult result;

77 FillResultWithSCTsOfOrigin(	100 FillResultWithSCTsOfOrigin(

78 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);	101 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

79	102

(...skipping 53 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
133 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));	156 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));

134 // ... but should be OK if whitelisted.	157 // ... but should be OK if whitelisted.

135 scoped_refptr<ct::EVCertsWhitelist> whitelist(	158 scoped_refptr<ct::EVCertsWhitelist> whitelist(

136 new DummyEVCertsWhitelist(true, true));	159 new DummyEVCertsWhitelist(true, true));

137 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(	160 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

138 chain_.get(), whitelist.get(), result, BoundNetLog()));	161 chain_.get(), whitelist.get(), result, BoundNetLog()));

139 }	162 }

140	163

141 TEST_F(CertPolicyEnforcerTest,	164 TEST_F(CertPolicyEnforcerTest,

142 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {	165 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {

143 // Test multiple validity periods: Over 27 months, Over 15 months (but less	166 // Test multiple validity periods

144 // than 27 months),	167 const struct TestData {

145 // Less than 15 months.	168 base::Time validity_start;

146 const size_t validity_period[] = {12, 19, 30, 50};	169 base::Time validity_end;

147 const size_t needed_scts[] = {2, 3, 4, 5};	170 size_t scts_required;

	171 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.

	172 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	173 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),

	174 2},

	175 {// Cert valid for exactly 15 months, needs 3 SCTs.

	176 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	177 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),

	178 3},

	179 {// Cert valid for over 15 months, needs 3 SCTs.

	180 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	181 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),

	182 3},

	183 {// Cert valid for exactly 27 months, needs 3 SCTs.

	184 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	185 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),

	186 3},

	187 {// Cert valid for over 27 months, needs 4 SCTs.

	188 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	189 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),

	190 4},

	191 {// Cert valid for exactly 39 months, needs 4 SCTs.

	192 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	193 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),

	194 4},

	195 {// Cert valid for over 39 months, needs 5 SCTs.

	196 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),

	197 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),

	198 5}};

148	199

149 for (int i = 0; i < 3; ++i) {	200 for (size_t i = 0; i < arraysize(kTestData); ++i) {

150 size_t curr_validity = validity_period[i];	201 SCOPED_TRACE(i);

151 scoped_refptr<X509Certificate> cert(new X509Certificate(	202 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(

152 "subject", "issuer", base::Time::Now(),	203 kTestData[i].validity_start, kTestData[i].validity_end,

153 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));	204 kTestData[i].scts_required);

154 size_t curr_required_scts = needed_scts[i];

155 ct::CTVerifyResult result;

156 for (size_t j = 0; j < curr_required_scts - 1; ++j) {

157 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,

158 1, &result);

159 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

160 cert.get(), nullptr, result, BoundNetLog()))

161 << " for: " << curr_validity << " and " << curr_required_scts

162 << " scts=" << result.verified_scts.size() << " j=" << j;

163 }

164 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

165 &result);

166 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

167 cert.get(), nullptr, result, BoundNetLog()));

168 }	205 }

169 }	206 }

170	207

171 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {	208 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {

172 scoped_refptr<ct::EVCertsWhitelist> whitelist(	209 scoped_refptr<ct::EVCertsWhitelist> whitelist(

173 new DummyEVCertsWhitelist(true, true));	210 new DummyEVCertsWhitelist(true, true));

174	211

175 ct::CTVerifyResult result;	212 ct::CTVerifyResult result;

176 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,	213 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

177 &result);	214 &result);

(...skipping 16 matching lines...) Expand all Loading...
194 ct::CTVerifyResult result;	231 ct::CTVerifyResult result;

195 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,	232 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

196 &result);	233 &result);

197 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(	234 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

198 chain_.get(), nullptr, result, BoundNetLog()));	235 chain_.get(), nullptr, result, BoundNetLog()));

199 }	236 }

200	237

201 } // namespace	238 } // namespace

202	239

203 } // namespace net	240 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/cert_policy_enforcer.cc ('k') | no next file » | no next file with comments »