Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rsleevi nits Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ct_policy_enforcer.cc ('K') | « net/cert/ct_policy_enforcer.cc ('k') | net/cert/ct_policy_status.h » ('j') | net/cert/ct_verify_result.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/ct_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/memory/scoped_ptr.h" 9 #include "base/memory/scoped_ptr.h"
10 #include "base/time/time.h" 10 #include "base/time/time.h"
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after
119 const base::Time& start, 119 const base::Time& start,
120 const base::Time& end, 120 const base::Time& end,
121 size_t required_scts) { 121 size_t required_scts) {
122 scoped_refptr<X509Certificate> cert( 122 scoped_refptr<X509Certificate> cert(
123 new X509Certificate("subject", "issuer", start, end)); 123 new X509Certificate("subject", "issuer", start, end));
124 ct::CTVerifyResult result; 124 ct::CTVerifyResult result;
125 125
126 for (size_t i = 0; i < required_scts - 1; ++i) { 126 for (size_t i = 0; i < required_scts - 1; ++i) {
127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
128 1, std::vector<std::string>(), false, &result); 128 1, std::vector<std::string>(), false, &result);
129 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
130 policy_enforcer_->DoesConformToCertPolicy(
131 cert.get(), result.verified_scts, BoundNetLog()))
132 << " for: " << (end - start).InDays() << " and " << required_scts
133 << " scts=" << result.verified_scts.size() << " i=" << i;
129 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 134 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
130 policy_enforcer_->DoesConformToCTEVPolicy( 135 policy_enforcer_->DoesConformToCTEVPolicy(
131 cert.get(), nullptr, result.verified_scts, BoundNetLog())) 136 cert.get(), nullptr, result.verified_scts, BoundNetLog()))
132 << " for: " << (end - start).InDays() << " and " << required_scts 137 << " for: " << (end - start).InDays() << " and " << required_scts
133 << " scts=" << result.verified_scts.size() << " i=" << i; 138 << " scts=" << result.verified_scts.size() << " i=" << i;
134 } 139 }
135 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 140 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
136 std::vector<std::string>(), false, &result); 141 std::vector<std::string>(), false, &result);
142 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
143 policy_enforcer_->DoesConformToCertPolicy(
144 cert.get(), result.verified_scts, BoundNetLog()))
145 << " for: " << (end - start).InDays() << " and " << required_scts
146 << " scts=" << result.verified_scts.size();
137 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 147 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
138 policy_enforcer_->DoesConformToCTEVPolicy( 148 policy_enforcer_->DoesConformToCTEVPolicy(
139 cert.get(), nullptr, result.verified_scts, BoundNetLog())) 149 cert.get(), nullptr, result.verified_scts, BoundNetLog()))
140 << " for: " << (end - start).InDays() << " and " << required_scts 150 << " for: " << (end - start).InDays() << " and " << required_scts
141 << " scts=" << result.verified_scts.size(); 151 << " scts=" << result.verified_scts.size();
142 } 152 }
143 153
144 protected: 154 protected:
145 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; 155 scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
146 scoped_refptr<X509Certificate> chain_; 156 scoped_refptr<X509Certificate> chain_;
147 std::string google_log_id_; 157 std::string google_log_id_;
148 std::string non_google_log_id_; 158 std::string non_google_log_id_;
149 }; 159 };
150 160
151 TEST_F(CTPolicyEnforcerTest, 161 TEST_F(CTPolicyEnforcerTest,
152 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { 162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
153 ct::CTVerifyResult result; 163 ct::CTVerifyResult result;
154 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); 164 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
155 165
166 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
167 policy_enforcer_->DoesConformToCertPolicy(
168 chain_.get(), result.verified_scts, BoundNetLog()));
156 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 169 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
157 policy_enforcer_->DoesConformToCTEVPolicy( 170 policy_enforcer_->DoesConformToCTEVPolicy(
158 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 171 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
159 } 172 }
160 173
161 TEST_F(CTPolicyEnforcerTest, 174 TEST_F(CTPolicyEnforcerTest,
162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { 175 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
163 ct::CTVerifyResult result; 176 ct::CTVerifyResult result;
164 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); 177 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
165 178
179 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
180 policy_enforcer_->DoesConformToCertPolicy(
181 chain_.get(), result.verified_scts, BoundNetLog()));
166 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 182 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
167 policy_enforcer_->DoesConformToCTEVPolicy( 183 policy_enforcer_->DoesConformToCTEVPolicy(
168 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 184 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
169 } 185 }
170 186
171 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { 187 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
172 ct::CTVerifyResult result; 188 ct::CTVerifyResult result;
173 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); 189 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
174 190
191 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
192 policy_enforcer_->DoesConformToCertPolicy(
193 chain_.get(), result.verified_scts, BoundNetLog()));
175 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 194 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
176 policy_enforcer_->DoesConformToCTEVPolicy( 195 policy_enforcer_->DoesConformToCTEVPolicy(
177 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 196 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
178 } 197 }
179 198
180 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { 199 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
181 ct::CTVerifyResult result; 200 ct::CTVerifyResult result;
182 FillResultWithSCTsOfOrigin( 201 FillResultWithSCTsOfOrigin(
183 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); 202 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
184 203
204 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
205 policy_enforcer_->DoesConformToCertPolicy(
206 chain_.get(), result.verified_scts, BoundNetLog()));
185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 207 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
186 policy_enforcer_->DoesConformToCTEVPolicy( 208 policy_enforcer_->DoesConformToCTEVPolicy(
187 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 209 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
188 } 210 }
189 211
190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { 212 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
191 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 213 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
192 ct::CTVerifyResult result; 214 ct::CTVerifyResult result;
193 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
194 &result); 216 &result);
195 217
218 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
219 policy_enforcer_->DoesConformToCertPolicy(
220 chain_.get(), result.verified_scts, BoundNetLog()));
196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 221 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
197 policy_enforcer_->DoesConformToCTEVPolicy( 222 policy_enforcer_->DoesConformToCTEVPolicy(
198 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 223 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
199 } 224 }
200 225
201 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { 226 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
202 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( 227 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
203 new DummyEVCertsWhitelist(true, false)); 228 new DummyEVCertsWhitelist(true, false));
204 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 229 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
205 // However, as there are only two logs, two SCTs will be required - supply one 230 // However, as there are only two logs, two SCTs will be required - supply one
206 // to guarantee the test fails. 231 // to guarantee the test fails.
207 ct::CTVerifyResult result; 232 ct::CTVerifyResult result;
208 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 233 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
209 &result); 234 &result);
210 235
236 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
237 policy_enforcer_->DoesConformToCertPolicy(
238 chain_.get(), result.verified_scts, BoundNetLog()));
211 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 239 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
212 policy_enforcer_->DoesConformToCTEVPolicy( 240 policy_enforcer_->DoesConformToCTEVPolicy(
213 chain_.get(), non_including_whitelist.get(), 241 chain_.get(), non_including_whitelist.get(),
214 result.verified_scts, BoundNetLog())); 242 result.verified_scts, BoundNetLog()));
215 243
216 // ... but should be OK if whitelisted. 244 // ... but should be OK if whitelisted.
217 scoped_refptr<ct::EVCertsWhitelist> whitelist( 245 scoped_refptr<ct::EVCertsWhitelist> whitelist(
218 new DummyEVCertsWhitelist(true, true)); 246 new DummyEVCertsWhitelist(true, true));
219 EXPECT_EQ( 247 EXPECT_EQ(
220 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, 248 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
221 policy_enforcer_->DoesConformToCTEVPolicy( 249 policy_enforcer_->DoesConformToCTEVPolicy(
222 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); 250 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
223 } 251 }
224 252
225 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { 253 // TODO(estark): fix this test so that it can check if
254 // |no_valid_dates_cert| is on the whitelist without
255 // crashing. https://crbug.com/582740
256 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) {
226 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( 257 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
227 "subject", "issuer", base::Time(), base::Time::Now())); 258 "subject", "issuer", base::Time(), base::Time::Now()));
259 ASSERT_TRUE(no_valid_dates_cert);
228 ct::CTVerifyResult result; 260 ct::CTVerifyResult result;
229 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 261 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
230 &result); 262 &result);
263 EXPECT_EQ(
264 ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
265 policy_enforcer_->DoesConformToCertPolicy(
266 no_valid_dates_cert.get(), result.verified_scts, BoundNetLog()));
231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 267 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
232 policy_enforcer_->DoesConformToCTEVPolicy( 268 policy_enforcer_->DoesConformToCTEVPolicy(
233 no_valid_dates_cert.get(), nullptr, result.verified_scts, 269 no_valid_dates_cert.get(), nullptr, result.verified_scts,
234 BoundNetLog())); 270 BoundNetLog()));
235 // ... but should be OK if whitelisted. 271 // ... but should be OK if whitelisted.
236 scoped_refptr<ct::EVCertsWhitelist> whitelist( 272 scoped_refptr<ct::EVCertsWhitelist> whitelist(
237 new DummyEVCertsWhitelist(true, true)); 273 new DummyEVCertsWhitelist(true, true));
238 EXPECT_EQ( 274 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
239 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, 275 policy_enforcer_->DoesConformToCTEVPolicy(
240 policy_enforcer_->DoesConformToCTEVPolicy( 276 no_valid_dates_cert.get(), whitelist.get(),
241 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); 277 result.verified_scts, BoundNetLog()));
242 } 278 }
243 279
244 TEST_F(CTPolicyEnforcerTest, 280 TEST_F(CTPolicyEnforcerTest,
245 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { 281 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
246 // Test multiple validity periods 282 // Test multiple validity periods
247 const struct TestData { 283 const struct TestData {
248 base::Time validity_start; 284 base::Time validity_start;
249 base::Time validity_end; 285 base::Time validity_end;
250 size_t scts_required; 286 size_t scts_required;
251 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. 287 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
285 } 321 }
286 } 322 }
287 323
288 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { 324 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
289 scoped_refptr<ct::EVCertsWhitelist> whitelist( 325 scoped_refptr<ct::EVCertsWhitelist> whitelist(
290 new DummyEVCertsWhitelist(true, true)); 326 new DummyEVCertsWhitelist(true, true));
291 327
292 ct::CTVerifyResult result; 328 ct::CTVerifyResult result;
293 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 329 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
294 &result); 330 &result);
331 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
332 policy_enforcer_->DoesConformToCertPolicy(
333 chain_.get(), result.verified_scts, BoundNetLog()));
295 EXPECT_EQ( 334 EXPECT_EQ(
296 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, 335 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
297 policy_enforcer_->DoesConformToCTEVPolicy( 336 policy_enforcer_->DoesConformToCTEVPolicy(
298 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); 337 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
299 } 338 }
300 339
301 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { 340 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
302 scoped_refptr<ct::EVCertsWhitelist> whitelist( 341 scoped_refptr<ct::EVCertsWhitelist> whitelist(
303 new DummyEVCertsWhitelist(false, true)); 342 new DummyEVCertsWhitelist(false, true));
304 343
(...skipping 11 matching lines...) Expand all
316 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 355 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
317 &result); 356 &result);
318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 357 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
319 policy_enforcer_->DoesConformToCTEVPolicy( 358 policy_enforcer_->DoesConformToCTEVPolicy(
320 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); 359 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
321 } 360 }
322 361
323 } // namespace 362 } // namespace
324 363
325 } // namespace net 364 } // namespace net
OLDNEW
« net/cert/ct_policy_enforcer.cc ('K') | « net/cert/ct_policy_enforcer.cc ('k') | net/cert/ct_policy_status.h » ('j') | net/cert/ct_verify_result.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698