Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(52)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: update some comments Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ct_policy_enforcer.cc ('K') | « net/cert/ct_policy_enforcer.cc ('k') | net/quic/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/ct_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/memory/scoped_ptr.h" 9 #include "base/memory/scoped_ptr.h"
10 #include "base/time/time.h" 10 #include "base/time/time.h"
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after
116 const base::Time& start, 116 const base::Time& start,
117 const base::Time& end, 117 const base::Time& end,
118 size_t required_scts) { 118 size_t required_scts) {
119 scoped_refptr<X509Certificate> cert( 119 scoped_refptr<X509Certificate> cert(
120 new X509Certificate("subject", "issuer", start, end)); 120 new X509Certificate("subject", "issuer", start, end));
121 ct::CTVerifyResult result; 121 ct::CTVerifyResult result;
122 122
123 for (size_t i = 0; i < required_scts - 1; ++i) { 123 for (size_t i = 0; i < required_scts - 1; ++i) {
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
125 1, std::vector<std::string>(), false, &result); 125 1, std::vector<std::string>(), false, &result);
126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(
127 cert.get(), nullptr, result, BoundNetLog())) 127 cert.get(), nullptr, result, BoundNetLog()))
128 << " for: " << (end - start).InDays() << " and " << required_scts 128 << " for: " << (end - start).InDays() << " and " << required_scts
129 << " scts=" << result.verified_scts.size() << " i=" << i; 129 << " scts=" << result.verified_scts.size() << " i=" << i;
130 } 130 }
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
132 std::vector<std::string>(), false, &result); 132 std::vector<std::string>(), false, &result);
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(cert.get(), nullptr,
134 cert.get(), nullptr, result, BoundNetLog())) 134 result, BoundNetLog()))
135 << " for: " << (end - start).InDays() << " and " << required_scts 135 << " for: " << (end - start).InDays() << " and " << required_scts
136 << " scts=" << result.verified_scts.size(); 136 << " scts=" << result.verified_scts.size();
137 } 137 }
138 138
139 protected: 139 protected:
140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
141 scoped_refptr<X509Certificate> chain_; 141 scoped_refptr<X509Certificate> chain_;
142 std::string google_log_id_; 142 std::string google_log_id_;
143 std::string non_google_log_id_; 143 std::string non_google_log_id_;
144 }; 144 };
145 145
146 TEST_F(CTPolicyEnforcerTest, 146 TEST_F(CTPolicyEnforcerTest,
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
148 ct::CTVerifyResult result; 148 ct::CTVerifyResult result;
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
150 150
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
152 chain_.get(), nullptr, result, BoundNetLog())); 152 result, BoundNetLog()));
153 } 153 }
154 154
155 TEST_F(CTPolicyEnforcerTest, 155 TEST_F(CTPolicyEnforcerTest,
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
157 ct::CTVerifyResult result; 157 ct::CTVerifyResult result;
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
159 159
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
161 chain_.get(), nullptr, result, BoundNetLog())); 161 result, BoundNetLog()));
162 } 162 }
163 163
164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
165 ct::CTVerifyResult result; 165 ct::CTVerifyResult result;
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
167 167
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
169 result, BoundNetLog())); 169 result, BoundNetLog()));
170 } 170 }
171 171
172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
173 ct::CTVerifyResult result; 173 ct::CTVerifyResult result;
174 FillResultWithSCTsOfOrigin( 174 FillResultWithSCTsOfOrigin(
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
176 176
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
178 result, BoundNetLog())); 178 result, BoundNetLog()));
179 } 179 }
180 180
181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
183 ct::CTVerifyResult result; 183 ct::CTVerifyResult result;
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
185 &result); 185 &result);
186 186
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
188 result, BoundNetLog())); 188 result, BoundNetLog()));
189 } 189 }
190 190
191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
193 new DummyEVCertsWhitelist(true, false)); 193 new DummyEVCertsWhitelist(true, false));
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
195 // However, as there are only two logs, two SCTs will be required - supply one 195 // However, as there are only two logs, two SCTs will be required - supply one
196 // to guarantee the test fails. 196 // to guarantee the test fails.
197 ct::CTVerifyResult result; 197 ct::CTVerifyResult result;
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
199 &result); 199 &result);
200 200
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
203 203
204 // ... but should be OK if whitelisted. 204 // ... but should be OK if whitelisted.
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( 205 scoped_refptr<ct::EVCertsWhitelist> whitelist(
206 new DummyEVCertsWhitelist(true, true)); 206 new DummyEVCertsWhitelist(true, true));
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(
208 chain_.get(), whitelist.get(), result, BoundNetLog())); 208 chain_.get(), whitelist.get(), result, BoundNetLog()));
209 } 209 }
210 210
211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
213 "subject", "issuer", base::Time(), base::Time::Now())); 213 "subject", "issuer", base::Time(), base::Time::Now()));
214 ct::CTVerifyResult result; 214 ct::CTVerifyResult result;
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
216 &result); 216 &result);
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
219 // ... but should be OK if whitelisted. 219 // ... but should be OK if whitelisted.
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( 220 scoped_refptr<ct::EVCertsWhitelist> whitelist(
221 new DummyEVCertsWhitelist(true, true)); 221 new DummyEVCertsWhitelist(true, true));
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(
223 chain_.get(), whitelist.get(), result, BoundNetLog())); 223 chain_.get(), whitelist.get(), result, BoundNetLog()));
224 } 224 }
225 225
226 TEST_F(CTPolicyEnforcerTest, 226 TEST_F(CTPolicyEnforcerTest,
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
228 // Test multiple validity periods 228 // Test multiple validity periods
229 const struct TestData { 229 const struct TestData {
230 base::Time validity_start; 230 base::Time validity_start;
231 base::Time validity_end; 231 base::Time validity_end;
232 size_t scts_required; 232 size_t scts_required;
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
267 } 267 }
268 } 268 }
269 269
270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( 271 scoped_refptr<ct::EVCertsWhitelist> whitelist(
272 new DummyEVCertsWhitelist(true, true)); 272 new DummyEVCertsWhitelist(true, true));
273 273
274 ct::CTVerifyResult result; 274 ct::CTVerifyResult result;
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
276 &result); 276 &result);
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTPolicy(
278 chain_.get(), whitelist.get(), result, BoundNetLog())); 278 chain_.get(), whitelist.get(), result, BoundNetLog()));
279 } 279 }
280 280
281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( 282 scoped_refptr<ct::EVCertsWhitelist> whitelist(
283 new DummyEVCertsWhitelist(false, true)); 283 new DummyEVCertsWhitelist(false, true));
284 284
285 ct::CTVerifyResult result; 285 ct::CTVerifyResult result;
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
287 &result); 287 &result);
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(
289 chain_.get(), whitelist.get(), result, BoundNetLog())); 289 chain_.get(), whitelist.get(), result, BoundNetLog()));
290 } 290 }
291 291
292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
293 ct::CTVerifyResult result; 293 ct::CTVerifyResult result;
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
295 &result); 295 &result);
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTPolicy(chain_.get(), nullptr,
297 chain_.get(), nullptr, result, BoundNetLog())); 297 result, BoundNetLog()));
298 } 298 }
299 299
300 } // namespace 300 } // namespace
301 301
302 } // namespace net 302 } // namespace net
OLDNEW
« net/cert/ct_policy_enforcer.cc ('K') | « net/cert/ct_policy_enforcer.cc ('k') | net/quic/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698