net/cert/ct_policy_enforcer_unittest.cc - Issue 1578993003: Add Expect CT policy that gets checked on all certs

Unified Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: tweaks Created 4 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/ct_policy_enforcer_unittest.cc

diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc

index 435525293337ea7569e52ccf35e881580b1123b1..3f0eab56e479ce4d6f4bc5fb3a7c8f7349bb9fe6 100644

--- a/net/cert/ct_policy_enforcer_unittest.cc

+++ b/net/cert/ct_policy_enforcer_unittest.cc

@@ -123,15 +123,14 @@ class CTPolicyEnforcerTest : public ::testing::Test {

for (size_t i = 0; i < required_scts - 1; ++i) {

FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,

1, std::vector<std::string>(), false, &result);

- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

- cert.get(), nullptr, result, BoundNetLog()))

+ EXPECT_FALSE(

+ policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))

<< " for: " << (end - start).InDays() << " and " << required_scts

<< " scts=" << result.verified_scts.size() << " i=" << i;

}

FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

std::vector<std::string>(), false, &result);

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

- cert.get(), nullptr, result, BoundNetLog()))

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))

<< " for: " << (end - start).InDays() << " and " << required_scts

<< " scts=" << result.verified_scts.size();

}

@@ -148,8 +147,7 @@ TEST_F(CTPolicyEnforcerTest,

ct::CTVerifyResult result;

FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);

- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

- chain_.get(), nullptr, result, BoundNetLog()));

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

}

TEST_F(CTPolicyEnforcerTest,

@@ -157,16 +155,14 @@ TEST_F(CTPolicyEnforcerTest,

ct::CTVerifyResult result;

FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);

- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

- chain_.get(), nullptr, result, BoundNetLog()));

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

}

TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {

ct::CTVerifyResult result;

FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

- result, BoundNetLog()));

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

}

TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {

@@ -174,8 +170,7 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {

FillResultWithSCTsOfOrigin(

ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

- result, BoundNetLog()));

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

}

TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {

@@ -184,8 +179,7 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {

FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,

&result);

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

- result, BoundNetLog()));

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

}

TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {

@@ -198,14 +192,17 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {

FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

&result);

- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

- chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));

+ EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(

+ chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,

+ non_including_whitelist.get(), BoundNetLog()));

// ... but should be OK if whitelisted.

scoped_refptr<ct::EVCertsWhitelist> whitelist(

new DummyEVCertsWhitelist(true, true));

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

- chain_.get(), whitelist.get(), result, BoundNetLog()));

+ EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(

+ chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,

+ whitelist.get(), BoundNetLog()));

}

TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {

@@ -214,13 +211,14 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {

ct::CTVerifyResult result;

FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,

&result);

- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

- no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(

+ no_valid_dates_cert.get(), result));

// ... but should be OK if whitelisted.

scoped_refptr<ct::EVCertsWhitelist> whitelist(

new DummyEVCertsWhitelist(true, true));

- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

- chain_.get(), whitelist.get(), result, BoundNetLog()));

+ EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(

+ chain_.get(), CERT_STATUS_CT_COMPLIANCE_FAILED | CERT_STATUS_IS_EV,

+ whitelist.get(), BoundNetLog()));

}

TEST_F(CTPolicyEnforcerTest,

@@ -230,34 +228,28 @@ TEST_F(CTPolicyEnforcerTest,

base::Time validity_start;

base::Time validity_end;

size_t scts_required;

- } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.