OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
119 const base::Time& start, | 119 const base::Time& start, |
120 const base::Time& end, | 120 const base::Time& end, |
121 size_t required_scts) { | 121 size_t required_scts) { |
122 scoped_refptr<X509Certificate> cert( | 122 scoped_refptr<X509Certificate> cert( |
123 new X509Certificate("subject", "issuer", start, end)); | 123 new X509Certificate("subject", "issuer", start, end)); |
124 ct::CTVerifyResult result; | 124 ct::CTVerifyResult result; |
125 | 125 |
126 for (size_t i = 0; i < required_scts - 1; ++i) { | 126 for (size_t i = 0; i < required_scts - 1; ++i) { |
127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
128 1, std::vector<std::string>(), false, &result); | 128 1, std::vector<std::string>(), false, &result); |
| 129 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 130 policy_enforcer_->DoesConformToCertPolicy( |
| 131 cert.get(), result.verified_scts, BoundNetLog())) |
| 132 << " for: " << (end - start).InDays() << " and " << required_scts |
| 133 << " scts=" << result.verified_scts.size() << " i=" << i; |
129 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 134 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
130 policy_enforcer_->DoesConformToCTEVPolicy( | 135 policy_enforcer_->DoesConformToCTEVPolicy( |
131 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | 136 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
132 << " for: " << (end - start).InDays() << " and " << required_scts | 137 << " for: " << (end - start).InDays() << " and " << required_scts |
133 << " scts=" << result.verified_scts.size() << " i=" << i; | 138 << " scts=" << result.verified_scts.size() << " i=" << i; |
134 } | 139 } |
135 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 140 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
136 std::vector<std::string>(), false, &result); | 141 std::vector<std::string>(), false, &result); |
| 142 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 143 policy_enforcer_->DoesConformToCertPolicy( |
| 144 cert.get(), result.verified_scts, BoundNetLog())) |
| 145 << " for: " << (end - start).InDays() << " and " << required_scts |
| 146 << " scts=" << result.verified_scts.size(); |
137 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 147 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
138 policy_enforcer_->DoesConformToCTEVPolicy( | 148 policy_enforcer_->DoesConformToCTEVPolicy( |
139 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | 149 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
140 << " for: " << (end - start).InDays() << " and " << required_scts | 150 << " for: " << (end - start).InDays() << " and " << required_scts |
141 << " scts=" << result.verified_scts.size(); | 151 << " scts=" << result.verified_scts.size(); |
142 } | 152 } |
143 | 153 |
144 protected: | 154 protected: |
145 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 155 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
146 scoped_refptr<X509Certificate> chain_; | 156 scoped_refptr<X509Certificate> chain_; |
147 std::string google_log_id_; | 157 std::string google_log_id_; |
148 std::string non_google_log_id_; | 158 std::string non_google_log_id_; |
149 }; | 159 }; |
150 | 160 |
151 TEST_F(CTPolicyEnforcerTest, | 161 TEST_F(CTPolicyEnforcerTest, |
152 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
153 ct::CTVerifyResult result; | 163 ct::CTVerifyResult result; |
154 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 164 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
155 | 165 |
| 166 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 167 policy_enforcer_->DoesConformToCertPolicy( |
| 168 chain_.get(), result.verified_scts, BoundNetLog())); |
156 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 169 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
157 policy_enforcer_->DoesConformToCTEVPolicy( | 170 policy_enforcer_->DoesConformToCTEVPolicy( |
158 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 171 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
159 } | 172 } |
160 | 173 |
161 TEST_F(CTPolicyEnforcerTest, | 174 TEST_F(CTPolicyEnforcerTest, |
162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 175 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
163 ct::CTVerifyResult result; | 176 ct::CTVerifyResult result; |
164 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 177 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
165 | 178 |
| 179 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 180 policy_enforcer_->DoesConformToCertPolicy( |
| 181 chain_.get(), result.verified_scts, BoundNetLog())); |
166 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 182 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
167 policy_enforcer_->DoesConformToCTEVPolicy( | 183 policy_enforcer_->DoesConformToCTEVPolicy( |
168 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 184 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
169 } | 185 } |
170 | 186 |
171 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 187 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
172 ct::CTVerifyResult result; | 188 ct::CTVerifyResult result; |
173 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 189 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
174 | 190 |
| 191 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 192 policy_enforcer_->DoesConformToCertPolicy( |
| 193 chain_.get(), result.verified_scts, BoundNetLog())); |
175 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 194 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
176 policy_enforcer_->DoesConformToCTEVPolicy( | 195 policy_enforcer_->DoesConformToCTEVPolicy( |
177 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 196 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
178 } | 197 } |
179 | 198 |
180 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 199 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
181 ct::CTVerifyResult result; | 200 ct::CTVerifyResult result; |
182 FillResultWithSCTsOfOrigin( | 201 FillResultWithSCTsOfOrigin( |
183 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 202 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
184 | 203 |
| 204 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 205 policy_enforcer_->DoesConformToCertPolicy( |
| 206 chain_.get(), result.verified_scts, BoundNetLog())); |
185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 207 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
186 policy_enforcer_->DoesConformToCTEVPolicy( | 208 policy_enforcer_->DoesConformToCTEVPolicy( |
187 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 209 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
188 } | 210 } |
189 | 211 |
190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 212 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
191 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 213 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
192 ct::CTVerifyResult result; | 214 ct::CTVerifyResult result; |
193 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
194 &result); | 216 &result); |
195 | 217 |
| 218 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 219 policy_enforcer_->DoesConformToCertPolicy( |
| 220 chain_.get(), result.verified_scts, BoundNetLog())); |
196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 221 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
197 policy_enforcer_->DoesConformToCTEVPolicy( | 222 policy_enforcer_->DoesConformToCTEVPolicy( |
198 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 223 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
199 } | 224 } |
200 | 225 |
201 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 226 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
202 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 227 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
203 new DummyEVCertsWhitelist(true, false)); | 228 new DummyEVCertsWhitelist(true, false)); |
204 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 229 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
205 // However, as there are only two logs, two SCTs will be required - supply one | 230 // However, as there are only two logs, two SCTs will be required - supply one |
206 // to guarantee the test fails. | 231 // to guarantee the test fails. |
207 ct::CTVerifyResult result; | 232 ct::CTVerifyResult result; |
208 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 233 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
209 &result); | 234 &result); |
210 | 235 |
| 236 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 237 policy_enforcer_->DoesConformToCertPolicy( |
| 238 chain_.get(), result.verified_scts, BoundNetLog())); |
211 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 239 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
212 policy_enforcer_->DoesConformToCTEVPolicy( | 240 policy_enforcer_->DoesConformToCTEVPolicy( |
213 chain_.get(), non_including_whitelist.get(), | 241 chain_.get(), non_including_whitelist.get(), |
214 result.verified_scts, BoundNetLog())); | 242 result.verified_scts, BoundNetLog())); |
215 | 243 |
216 // ... but should be OK if whitelisted. | 244 // ... but should be OK if whitelisted. |
217 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 245 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
218 new DummyEVCertsWhitelist(true, true)); | 246 new DummyEVCertsWhitelist(true, true)); |
219 EXPECT_EQ( | 247 EXPECT_EQ( |
220 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 248 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
221 policy_enforcer_->DoesConformToCTEVPolicy( | 249 policy_enforcer_->DoesConformToCTEVPolicy( |
222 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | 250 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
223 } | 251 } |
224 | 252 |
225 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 253 // TODO(estark): fix this test so that it can check if |
| 254 // |no_valid_dates_cert| is on the whitelist without |
| 255 // crashing. https://crbug.com/582740 |
| 256 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
226 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 257 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
227 "subject", "issuer", base::Time(), base::Time::Now())); | 258 "subject", "issuer", base::Time(), base::Time::Now())); |
| 259 ASSERT_TRUE(no_valid_dates_cert); |
228 ct::CTVerifyResult result; | 260 ct::CTVerifyResult result; |
229 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 261 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
230 &result); | 262 &result); |
| 263 EXPECT_EQ( |
| 264 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 265 policy_enforcer_->DoesConformToCertPolicy( |
| 266 no_valid_dates_cert.get(), result.verified_scts, BoundNetLog())); |
231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 267 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
232 policy_enforcer_->DoesConformToCTEVPolicy( | 268 policy_enforcer_->DoesConformToCTEVPolicy( |
233 no_valid_dates_cert.get(), nullptr, result.verified_scts, | 269 no_valid_dates_cert.get(), nullptr, result.verified_scts, |
234 BoundNetLog())); | 270 BoundNetLog())); |
235 // ... but should be OK if whitelisted. | 271 // ... but should be OK if whitelisted. |
236 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 272 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
237 new DummyEVCertsWhitelist(true, true)); | 273 new DummyEVCertsWhitelist(true, true)); |
238 EXPECT_EQ( | 274 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
239 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 275 policy_enforcer_->DoesConformToCTEVPolicy( |
240 policy_enforcer_->DoesConformToCTEVPolicy( | 276 no_valid_dates_cert.get(), whitelist.get(), |
241 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | 277 result.verified_scts, BoundNetLog())); |
242 } | 278 } |
243 | 279 |
244 TEST_F(CTPolicyEnforcerTest, | 280 TEST_F(CTPolicyEnforcerTest, |
245 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 281 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
246 // Test multiple validity periods | 282 // Test multiple validity periods |
247 const struct TestData { | 283 const struct TestData { |
248 base::Time validity_start; | 284 base::Time validity_start; |
249 base::Time validity_end; | 285 base::Time validity_end; |
250 size_t scts_required; | 286 size_t scts_required; |
251 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 287 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
285 } | 321 } |
286 } | 322 } |
287 | 323 |
288 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 324 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
289 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 325 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
290 new DummyEVCertsWhitelist(true, true)); | 326 new DummyEVCertsWhitelist(true, true)); |
291 | 327 |
292 ct::CTVerifyResult result; | 328 ct::CTVerifyResult result; |
293 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 329 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
294 &result); | 330 &result); |
| 331 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 332 policy_enforcer_->DoesConformToCertPolicy( |
| 333 chain_.get(), result.verified_scts, BoundNetLog())); |
295 EXPECT_EQ( | 334 EXPECT_EQ( |
296 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 335 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
297 policy_enforcer_->DoesConformToCTEVPolicy( | 336 policy_enforcer_->DoesConformToCTEVPolicy( |
298 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | 337 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
299 } | 338 } |
300 | 339 |
301 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 340 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
302 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 341 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
303 new DummyEVCertsWhitelist(false, true)); | 342 new DummyEVCertsWhitelist(false, true)); |
304 | 343 |
(...skipping 11 matching lines...) Expand all Loading... |
316 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 355 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
317 &result); | 356 &result); |
318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 357 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
319 policy_enforcer_->DoesConformToCTEVPolicy( | 358 policy_enforcer_->DoesConformToCTEVPolicy( |
320 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | 359 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
321 } | 360 } |
322 | 361 |
323 } // namespace | 362 } // namespace |
324 | 363 |
325 } // namespace net | 364 } // namespace net |
OLD | NEW |