| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 116 const base::Time& start, | 116 const base::Time& start, |
| 117 const base::Time& end, | 117 const base::Time& end, |
| 118 size_t required_scts) { | 118 size_t required_scts) { |
| 119 scoped_refptr<X509Certificate> cert( | 119 scoped_refptr<X509Certificate> cert( |
| 120 new X509Certificate("subject", "issuer", start, end)); | 120 new X509Certificate("subject", "issuer", start, end)); |
| 121 ct::CTVerifyResult result; | 121 ct::CTVerifyResult result; |
| 122 | 122 |
| 123 for (size_t i = 0; i < required_scts - 1; ++i) { | 123 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 125 1, std::vector<std::string>(), false, &result); | 125 1, std::vector<std::string>(), false, &result); |
| 126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 126 EXPECT_FALSE( |
| 127 cert.get(), nullptr, result, BoundNetLog())) | 127 policy_enforcer_->DoesConformToCertPolicy(cert.get(), result)) |
| 128 << " for: " << (end - start).InDays() << " and " << required_scts | 128 << " for: " << (end - start).InDays() << " and " << required_scts |
| 129 << " scts=" << result.verified_scts.size() << " i=" << i; | 129 << " scts=" << result.verified_scts.size() << " i=" << i; |
| 130 } | 130 } |
| 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 132 std::vector<std::string>(), false, &result); | 132 std::vector<std::string>(), false, &result); |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(cert.get(), result)) |
| 134 cert.get(), nullptr, result, BoundNetLog())) | |
| 135 << " for: " << (end - start).InDays() << " and " << required_scts | 134 << " for: " << (end - start).InDays() << " and " << required_scts |
| 136 << " scts=" << result.verified_scts.size(); | 135 << " scts=" << result.verified_scts.size(); |
| 137 } | 136 } |
| 138 | 137 |
| 139 protected: | 138 protected: |
| 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 139 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 141 scoped_refptr<X509Certificate> chain_; | 140 scoped_refptr<X509Certificate> chain_; |
| 142 std::string google_log_id_; | 141 std::string google_log_id_; |
| 143 std::string non_google_log_id_; | 142 std::string non_google_log_id_; |
| 144 }; | 143 }; |
| 145 | 144 |
| 146 TEST_F(CTPolicyEnforcerTest, | 145 TEST_F(CTPolicyEnforcerTest, |
| 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 146 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 148 ct::CTVerifyResult result; | 147 ct::CTVerifyResult result; |
| 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 148 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
| 150 | 149 |
| 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 150 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 152 chain_.get(), nullptr, result, BoundNetLog())); | |
| 153 } | 151 } |
| 154 | 152 |
| 155 TEST_F(CTPolicyEnforcerTest, | 153 TEST_F(CTPolicyEnforcerTest, |
| 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 154 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 157 ct::CTVerifyResult result; | 155 ct::CTVerifyResult result; |
| 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 156 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
| 159 | 157 |
| 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 158 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 161 chain_.get(), nullptr, result, BoundNetLog())); | |
| 162 } | 159 } |
| 163 | 160 |
| 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 161 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 165 ct::CTVerifyResult result; | 162 ct::CTVerifyResult result; |
| 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 163 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
| 167 | 164 |
| 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 165 EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 169 result, BoundNetLog())); | |
| 170 } | 166 } |
| 171 | 167 |
| 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 168 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 173 ct::CTVerifyResult result; | 169 ct::CTVerifyResult result; |
| 174 FillResultWithSCTsOfOrigin( | 170 FillResultWithSCTsOfOrigin( |
| 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 171 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 176 | 172 |
| 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 173 EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 178 result, BoundNetLog())); | |
| 179 } | 174 } |
| 180 | 175 |
| 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 176 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 177 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 183 ct::CTVerifyResult result; | 178 ct::CTVerifyResult result; |
| 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 179 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 185 &result); | 180 &result); |
| 186 | 181 |
| 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 182 EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 188 result, BoundNetLog())); | |
| 189 } | 183 } |
| 190 | 184 |
| 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 185 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 186 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 193 new DummyEVCertsWhitelist(true, false)); | 187 new DummyEVCertsWhitelist(true, false)); |
| 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 188 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 195 // However, as there are only two logs, two SCTs will be required - supply one | 189 // However, as there are only two logs, two SCTs will be required - supply one |
| 196 // to guarantee the test fails. | 190 // to guarantee the test fails. |
| 197 ct::CTVerifyResult result; | 191 ct::CTVerifyResult result; |
| 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 192 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 199 &result); | 193 &result); |
| 200 | 194 |
| 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 195 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 196 EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy( |
| 197 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 198 non_including_whitelist.get(), BoundNetLog())); |
| 203 | 199 |
| 204 // ... but should be OK if whitelisted. | 200 // ... but should be OK if whitelisted. |
| 205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 201 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 206 new DummyEVCertsWhitelist(true, true)); | 202 new DummyEVCertsWhitelist(true, true)); |
| 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 203 EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy( |
| 208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 204 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 205 whitelist.get(), BoundNetLog())); |
| 209 } | 206 } |
| 210 | 207 |
| 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 208 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 209 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 213 "subject", "issuer", base::Time(), base::Time::Now())); | 210 "subject", "issuer", base::Time(), base::Time::Now())); |
| 214 ct::CTVerifyResult result; | 211 ct::CTVerifyResult result; |
| 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 212 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 216 &result); | 213 &result); |
| 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 214 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy( |
| 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 215 no_valid_dates_cert.get(), result)); |
| 219 // ... but should be OK if whitelisted. | 216 // ... but should be OK if whitelisted. |
| 220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 217 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 221 new DummyEVCertsWhitelist(true, true)); | 218 new DummyEVCertsWhitelist(true, true)); |
| 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 219 EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy( |
| 223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 220 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 221 whitelist.get(), BoundNetLog())); |
| 224 } | 222 } |
| 225 | 223 |
| 226 TEST_F(CTPolicyEnforcerTest, | 224 TEST_F(CTPolicyEnforcerTest, |
| 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 225 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 228 // Test multiple validity periods | 226 // Test multiple validity periods |
| 229 const struct TestData { | 227 const struct TestData { |
| 230 base::Time validity_start; | 228 base::Time validity_start; |
| 231 base::Time validity_end; | 229 base::Time validity_end; |
| 232 size_t scts_required; | 230 size_t scts_required; |
| 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 231 } kTestData[] = { |
| 234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 232 {// Cert valid for 14 months, needs 2 SCTs. |
| 235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), | 233 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 236 2}, | 234 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), 2}, |
| 237 {// Cert valid for exactly 15 months, needs 3 SCTs. | 235 {// Cert valid for exactly 15 months, needs 3 SCTs. |
| 238 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 236 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 239 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), | 237 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), 3}, |
| 240 3}, | 238 {// Cert valid for over 15 months, needs 3 SCTs. |
| 241 {// Cert valid for over 15 months, needs 3 SCTs. | 239 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 242 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 240 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), 3}, |
| 243 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), | 241 {// Cert valid for exactly 27 months, needs 3 SCTs. |
| 244 3}, | 242 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 245 {// Cert valid for exactly 27 months, needs 3 SCTs. | 243 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), 3}, |
| 246 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 244 {// Cert valid for over 27 months, needs 4 SCTs. |
| 247 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), | 245 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 248 3}, | 246 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), 4}, |
| 249 {// Cert valid for over 27 months, needs 4 SCTs. | 247 {// Cert valid for exactly 39 months, needs 4 SCTs. |
| 250 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 248 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 251 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), | 249 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), 4}, |
| 252 4}, | 250 {// Cert valid for over 39 months, needs 5 SCTs. |
| 253 {// Cert valid for exactly 39 months, needs 4 SCTs. | 251 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
| 254 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 252 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), 5}}; |
| 255 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), | |
| 256 4}, | |
| 257 {// Cert valid for over 39 months, needs 5 SCTs. | |
| 258 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 259 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), | |
| 260 5}}; | |
| 261 | 253 |
| 262 for (size_t i = 0; i < arraysize(kTestData); ++i) { | 254 for (size_t i = 0; i < arraysize(kTestData); ++i) { |
| 263 SCOPED_TRACE(i); | 255 SCOPED_TRACE(i); |
| 264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | 256 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
| 265 kTestData[i].validity_start, kTestData[i].validity_end, | 257 kTestData[i].validity_start, kTestData[i].validity_end, |
| 266 kTestData[i].scts_required); | 258 kTestData[i].scts_required); |
| 267 } | 259 } |
| 268 } | 260 } |
| 269 | 261 |
| 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 262 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 263 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 272 new DummyEVCertsWhitelist(true, true)); | 264 new DummyEVCertsWhitelist(true, true)); |
| 273 | 265 |
| 274 ct::CTVerifyResult result; | 266 ct::CTVerifyResult result; |
| 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 267 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 276 &result); | 268 &result); |
| 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 269 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 270 EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy( |
| 271 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 272 whitelist.get(), BoundNetLog())); |
| 279 } | 273 } |
| 280 | 274 |
| 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 275 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 276 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 283 new DummyEVCertsWhitelist(false, true)); | 277 new DummyEVCertsWhitelist(false, true)); |
| 284 | 278 |
| 285 ct::CTVerifyResult result; | 279 ct::CTVerifyResult result; |
| 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 280 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 287 &result); | 281 &result); |
| 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 282 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 283 EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy( |
| 284 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 285 whitelist.get(), BoundNetLog())); |
| 290 } | 286 } |
| 291 | 287 |
| 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 288 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 293 ct::CTVerifyResult result; | 289 ct::CTVerifyResult result; |
| 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 290 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 295 &result); | 291 &result); |
| 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 292 EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result)); |
| 297 chain_.get(), nullptr, result, BoundNetLog())); | 293 EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy( |
| 294 chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV, |
| 295 nullptr, BoundNetLog())); |
| 298 } | 296 } |
| 299 | 297 |
| 300 } // namespace | 298 } // namespace |
| 301 | 299 |
| 302 } // namespace net | 300 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master