OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
117 const base::Time& start, | 117 const base::Time& start, |
118 const base::Time& end, | 118 const base::Time& end, |
119 size_t required_scts) { | 119 size_t required_scts) { |
120 scoped_refptr<X509Certificate> cert( | 120 scoped_refptr<X509Certificate> cert( |
121 new X509Certificate("subject", "issuer", start, end)); | 121 new X509Certificate("subject", "issuer", start, end)); |
122 ct::SCTList scts; | 122 ct::SCTList scts; |
123 | 123 |
124 for (size_t i = 0; i < required_scts - 1; ++i) { | 124 for (size_t i = 0; i < required_scts - 1; ++i) { |
125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
126 std::vector<std::string>(), false, &scts); | 126 std::vector<std::string>(), false, &scts); |
| 127 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 128 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 129 BoundNetLog())) |
| 130 << " for: " << (end - start).InDays() << " and " << required_scts |
| 131 << " scts=" << scts.size() << " i=" << i; |
127 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 132 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
128 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 133 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
129 scts, BoundNetLog())) | 134 scts, BoundNetLog())) |
130 << " for: " << (end - start).InDays() << " and " << required_scts | 135 << " for: " << (end - start).InDays() << " and " << required_scts |
131 << " scts=" << scts.size() << " i=" << i; | 136 << " scts=" << scts.size() << " i=" << i; |
132 } | 137 } |
133 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 138 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
134 std::vector<std::string>(), false, &scts); | 139 std::vector<std::string>(), false, &scts); |
| 140 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 141 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 142 BoundNetLog())) |
| 143 << " for: " << (end - start).InDays() << " and " << required_scts |
| 144 << " scts=" << scts.size(); |
135 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 145 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
136 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 146 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
137 scts, BoundNetLog())) | 147 scts, BoundNetLog())) |
138 << " for: " << (end - start).InDays() << " and " << required_scts | 148 << " for: " << (end - start).InDays() << " and " << required_scts |
139 << " scts=" << scts.size(); | 149 << " scts=" << scts.size(); |
140 } | 150 } |
141 | 151 |
142 protected: | 152 protected: |
143 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 153 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
144 scoped_refptr<X509Certificate> chain_; | 154 scoped_refptr<X509Certificate> chain_; |
145 std::string google_log_id_; | 155 std::string google_log_id_; |
146 std::string non_google_log_id_; | 156 std::string non_google_log_id_; |
147 }; | 157 }; |
148 | 158 |
149 TEST_F(CTPolicyEnforcerTest, | 159 TEST_F(CTPolicyEnforcerTest, |
150 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
151 ct::SCTList scts; | 161 ct::SCTList scts; |
152 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); | 162 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); |
153 | 163 |
| 164 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 165 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 166 BoundNetLog())); |
154 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 167 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
155 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 168 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
156 scts, BoundNetLog())); | 169 scts, BoundNetLog())); |
157 } | 170 } |
158 | 171 |
159 TEST_F(CTPolicyEnforcerTest, | 172 TEST_F(CTPolicyEnforcerTest, |
160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 173 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
161 ct::SCTList scts; | 174 ct::SCTList scts; |
162 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); | 175 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); |
163 | 176 |
| 177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 179 BoundNetLog())); |
164 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 180 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
165 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 181 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
166 scts, BoundNetLog())); | 182 scts, BoundNetLog())); |
167 } | 183 } |
168 | 184 |
169 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 185 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
170 ct::SCTList scts; | 186 ct::SCTList scts; |
171 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); | 187 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); |
172 | 188 |
| 189 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 190 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 191 BoundNetLog())); |
173 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 192 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
174 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 193 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
175 scts, BoundNetLog())); | 194 scts, BoundNetLog())); |
176 } | 195 } |
177 | 196 |
178 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 197 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
179 ct::SCTList scts; | 198 ct::SCTList scts; |
180 FillListWithSCTsOfOrigin( | 199 FillListWithSCTsOfOrigin( |
181 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 200 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
182 | 201 |
| 202 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 203 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 204 BoundNetLog())); |
183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 205 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
184 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 206 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
185 scts, BoundNetLog())); | 207 scts, BoundNetLog())); |
186 } | 208 } |
187 | 209 |
188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 210 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
189 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 211 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
190 ct::SCTList scts; | 212 ct::SCTList scts; |
191 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 213 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
192 &scts); | 214 &scts); |
193 | 215 |
| 216 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 217 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 218 BoundNetLog())); |
194 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 219 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
195 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 220 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
196 scts, BoundNetLog())); | 221 scts, BoundNetLog())); |
197 } | 222 } |
198 | 223 |
199 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
200 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 225 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
201 new DummyEVCertsWhitelist(true, false)); | 226 new DummyEVCertsWhitelist(true, false)); |
202 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 227 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
203 // However, as there are only two logs, two SCTs will be required - supply one | 228 // However, as there are only two logs, two SCTs will be required - supply one |
204 // to guarantee the test fails. | 229 // to guarantee the test fails. |
205 ct::SCTList scts; | 230 ct::SCTList scts; |
206 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 231 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
207 &scts); | 232 &scts); |
208 | 233 |
| 234 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 235 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 236 BoundNetLog())); |
209 EXPECT_EQ( | 237 EXPECT_EQ( |
210 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 238 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
211 policy_enforcer_->DoesConformToCTEVPolicy( | 239 policy_enforcer_->DoesConformToCTEVPolicy( |
212 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 240 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
213 | 241 |
214 // ... but should be OK if whitelisted. | 242 // ... but should be OK if whitelisted. |
215 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 243 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
216 new DummyEVCertsWhitelist(true, true)); | 244 new DummyEVCertsWhitelist(true, true)); |
217 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
218 policy_enforcer_->DoesConformToCTEVPolicy( | 246 policy_enforcer_->DoesConformToCTEVPolicy( |
219 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 247 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
220 } | 248 } |
221 | 249 |
222 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 250 // TODO(estark): fix this test so that it can check if |
| 251 // |no_valid_dates_cert| is on the whitelist without |
| 252 // crashing. https://crbug.com/582740 |
| 253 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
223 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 254 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
224 "subject", "issuer", base::Time(), base::Time::Now())); | 255 "subject", "issuer", base::Time(), base::Time::Now())); |
225 ct::SCTList scts; | 256 ct::SCTList scts; |
226 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 257 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
227 &scts); | 258 &scts); |
| 259 ASSERT_TRUE(no_valid_dates_cert); |
| 260 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 261 policy_enforcer_->DoesConformToCertPolicy(no_valid_dates_cert.get(), |
| 262 scts, BoundNetLog())); |
228 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 263 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
229 policy_enforcer_->DoesConformToCTEVPolicy( | 264 policy_enforcer_->DoesConformToCTEVPolicy( |
230 no_valid_dates_cert.get(), nullptr, scts, BoundNetLog())); | 265 no_valid_dates_cert.get(), nullptr, scts, BoundNetLog())); |
231 // ... but should be OK if whitelisted. | 266 // ... but should be OK if whitelisted. |
232 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 267 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
233 new DummyEVCertsWhitelist(true, true)); | 268 new DummyEVCertsWhitelist(true, true)); |
234 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 269 EXPECT_EQ( |
235 policy_enforcer_->DoesConformToCTEVPolicy( | 270 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
236 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 271 policy_enforcer_->DoesConformToCTEVPolicy( |
| 272 no_valid_dates_cert.get(), whitelist.get(), scts, BoundNetLog())); |
237 } | 273 } |
238 | 274 |
239 TEST_F(CTPolicyEnforcerTest, | 275 TEST_F(CTPolicyEnforcerTest, |
240 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 276 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
241 // Test multiple validity periods | 277 // Test multiple validity periods |
242 const struct TestData { | 278 const struct TestData { |
243 base::Time validity_start; | 279 base::Time validity_start; |
244 base::Time validity_end; | 280 base::Time validity_end; |
245 size_t scts_required; | 281 size_t scts_required; |
246 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 282 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
280 } | 316 } |
281 } | 317 } |
282 | 318 |
283 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 319 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
284 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 320 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
285 new DummyEVCertsWhitelist(true, true)); | 321 new DummyEVCertsWhitelist(true, true)); |
286 | 322 |
287 ct::SCTList scts; | 323 ct::SCTList scts; |
288 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 324 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
289 &scts); | 325 &scts); |
| 326 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 327 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 328 BoundNetLog())); |
290 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 329 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
291 policy_enforcer_->DoesConformToCTEVPolicy( | 330 policy_enforcer_->DoesConformToCTEVPolicy( |
292 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 331 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
293 } | 332 } |
294 | 333 |
295 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 334 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
296 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 335 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
297 new DummyEVCertsWhitelist(false, true)); | 336 new DummyEVCertsWhitelist(false, true)); |
298 | 337 |
299 ct::SCTList scts; | 338 ct::SCTList scts; |
300 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 339 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
301 &scts); | 340 &scts); |
302 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 341 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
303 policy_enforcer_->DoesConformToCTEVPolicy( | 342 policy_enforcer_->DoesConformToCTEVPolicy( |
304 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 343 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
305 } | 344 } |
306 | 345 |
307 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 346 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
308 ct::SCTList scts; | 347 ct::SCTList scts; |
309 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 348 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
310 &scts); | 349 &scts); |
311 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 350 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
312 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 351 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
313 scts, BoundNetLog())); | 352 scts, BoundNetLog())); |
314 } | 353 } |
315 | 354 |
316 } // namespace | 355 } // namespace |
317 | 356 |
318 } // namespace net | 357 } // namespace net |
OLD | NEW |