| Index: net/cert/ct_policy_enforcer_unittest.cc
|
| diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc
|
| index 435525293337ea7569e52ccf35e881580b1123b1..3f0eab56e479ce4d6f4bc5fb3a7c8f7349bb9fe6 100644
|
| --- a/net/cert/ct_policy_enforcer_unittest.cc
|
| +++ b/net/cert/ct_policy_enforcer_unittest.cc
|
| @@ -123,15 +123,14 @@ class CTPolicyEnforcerTest : public ::testing::Test {
|
| for (size_t i = 0; i < required_scts - 1; ++i) {
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
|
| 1, std::vector<std::string>(), false, &result);
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - cert.get(), nullptr, result, BoundNetLog()))
|
| + EXPECT_FALSE(
|
| + policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))
|
| << " for: " << (end - start).InDays() << " and " << required_scts
|
| << " scts=" << result.verified_scts.size() << " i=" << i;
|
| }
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| std::vector<std::string>(), false, &result);
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - cert.get(), nullptr, result, BoundNetLog()))
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))
|
| << " for: " << (end - start).InDays() << " and " << required_scts
|
| << " scts=" << result.verified_scts.size();
|
| }
|
| @@ -148,8 +147,7 @@ TEST_F(CTPolicyEnforcerTest,
|
| ct::CTVerifyResult result;
|
| FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
|
|
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), nullptr, result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest,
|
| @@ -157,16 +155,14 @@ TEST_F(CTPolicyEnforcerTest,
|
| ct::CTVerifyResult result;
|
| FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
|
|
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), nullptr, result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
|
| ct::CTVerifyResult result;
|
| FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
|
|
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
|
| - result, BoundNetLog()));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
|
| @@ -174,8 +170,7 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
|
| FillResultWithSCTsOfOrigin(
|
| ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
|
|
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
|
| - result, BoundNetLog()));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
|
| @@ -184,8 +179,7 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
|
| &result);
|
|
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
|
| - result, BoundNetLog()));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
|
| @@ -198,14 +192,17 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| &result);
|
|
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + non_including_whitelist.get(), BoundNetLog()));
|
|
|
| // ... but should be OK if whitelisted.
|
| scoped_refptr<ct::EVCertsWhitelist> whitelist(
|
| new DummyEVCertsWhitelist(true, true));
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), whitelist.get(), result, BoundNetLog()));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + whitelist.get(), BoundNetLog()));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
|
| @@ -214,13 +211,14 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
|
| ct::CTVerifyResult result;
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
|
| &result);
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(
|
| + no_valid_dates_cert.get(), result));
|
| // ... but should be OK if whitelisted.
|
| scoped_refptr<ct::EVCertsWhitelist> whitelist(
|
| new DummyEVCertsWhitelist(true, true));
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), whitelist.get(), result, BoundNetLog()));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + whitelist.get(), BoundNetLog()));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest,
|
| @@ -230,34 +228,28 @@ TEST_F(CTPolicyEnforcerTest,
|
| base::Time validity_start;
|
| base::Time validity_end;
|
| size_t scts_required;
|
| - } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
|
| - 2},
|
| - {// Cert valid for exactly 15 months, needs 3 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
|
| - 3},
|
| - {// Cert valid for over 15 months, needs 3 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
|
| - 3},
|
| - {// Cert valid for exactly 27 months, needs 3 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
|
| - 3},
|
| - {// Cert valid for over 27 months, needs 4 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
|
| - 4},
|
| - {// Cert valid for exactly 39 months, needs 4 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
|
| - 4},
|
| - {// Cert valid for over 39 months, needs 5 SCTs.
|
| - base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| - base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
|
| - 5}};
|
| + } kTestData[] = {
|
| + {// Cert valid for 14 months, needs 2 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), 2},
|
| + {// Cert valid for exactly 15 months, needs 3 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), 3},
|
| + {// Cert valid for over 15 months, needs 3 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), 3},
|
| + {// Cert valid for exactly 27 months, needs 3 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), 3},
|
| + {// Cert valid for over 27 months, needs 4 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), 4},
|
| + {// Cert valid for exactly 39 months, needs 4 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), 4},
|
| + {// Cert valid for over 39 months, needs 5 SCTs.
|
| + base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
|
| + base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), 5}};
|
|
|
| for (size_t i = 0; i < arraysize(kTestData); ++i) {
|
| SCOPED_TRACE(i);
|
| @@ -274,8 +266,10 @@ TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
|
| ct::CTVerifyResult result;
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| &result);
|
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), whitelist.get(), result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + whitelist.get(), BoundNetLog()));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
|
| @@ -285,16 +279,20 @@ TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
|
| ct::CTVerifyResult result;
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| &result);
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), whitelist.get(), result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + whitelist.get(), BoundNetLog()));
|
| }
|
|
|
| TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
|
| ct::CTVerifyResult result;
|
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| &result);
|
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| - chain_.get(), nullptr, result, BoundNetLog()));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(
|
| + chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,
|
| + nullptr, BoundNetLog()));
|
| }
|
|
|
| } // namespace
|
|
|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master