| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_policy_enforcer.h" | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "base/memory/scoped_ptr.h" | |
| 10 #include "base/time/time.h" | |
| 11 #include "base/version.h" | |
| 12 #include "crypto/sha2.h" | |
| 13 #include "net/base/test_data_directory.h" | |
| 14 #include "net/cert/ct_ev_whitelist.h" | |
| 15 #include "net/cert/ct_verify_result.h" | |
| 16 #include "net/cert/x509_certificate.h" | |
| 17 #include "net/test/cert_test_util.h" | |
| 18 #include "net/test/ct_test_util.h" | |
| 19 #include "testing/gmock/include/gmock/gmock.h" | |
| 20 #include "testing/gtest/include/gtest/gtest.h" | |
| 21 | |
| 22 namespace net { | |
| 23 | |
| 24 namespace { | |
| 25 | |
| 26 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { | |
| 27 public: | |
| 28 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) | |
| 29 : canned_is_valid_(is_valid_response), | |
| 30 canned_contains_response_(contains_hash_response) {} | |
| 31 | |
| 32 bool IsValid() const override { return canned_is_valid_; } | |
| 33 | |
| 34 bool ContainsCertificateHash( | |
| 35 const std::string& certificate_hash) const override { | |
| 36 return canned_contains_response_; | |
| 37 } | |
| 38 | |
| 39 base::Version Version() const override { return base::Version(); } | |
| 40 | |
| 41 protected: | |
| 42 ~DummyEVCertsWhitelist() override {} | |
| 43 | |
| 44 private: | |
| 45 bool canned_is_valid_; | |
| 46 bool canned_contains_response_; | |
| 47 }; | |
| 48 | |
| 49 const char kGoogleAviatorLogID[] = | |
| 50 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" | |
| 51 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; | |
| 52 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, | |
| 53 "Incorrect log ID length."); | |
| 54 | |
| 55 class CertPolicyEnforcerTest : public ::testing::Test { | |
| 56 public: | |
| 57 void SetUp() override { | |
| 58 policy_enforcer_.reset(new CertPolicyEnforcer); | |
| 59 | |
| 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
| 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | |
| 62 der_test_cert.size()); | |
| 63 ASSERT_TRUE(chain_.get()); | |
| 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | |
| 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | |
| 66 } | |
| 67 | |
| 68 void FillResultWithSCTsOfOrigin( | |
| 69 ct::SignedCertificateTimestamp::Origin desired_origin, | |
| 70 size_t num_scts, | |
| 71 const std::vector<std::string>& desired_log_keys, | |
| 72 bool timestamp_past_enforcement_date, | |
| 73 ct::CTVerifyResult* result) { | |
| 74 for (size_t i = 0; i < num_scts; ++i) { | |
| 75 scoped_refptr<ct::SignedCertificateTimestamp> sct( | |
| 76 new ct::SignedCertificateTimestamp()); | |
| 77 sct->origin = desired_origin; | |
| 78 if (i < desired_log_keys.size()) | |
| 79 sct->log_id = desired_log_keys[i]; | |
| 80 else | |
| 81 sct->log_id = non_google_log_id_; | |
| 82 | |
| 83 if (timestamp_past_enforcement_date) | |
| 84 sct->timestamp = | |
| 85 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); | |
| 86 else | |
| 87 sct->timestamp = | |
| 88 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); | |
| 89 | |
| 90 result->verified_scts.push_back(sct); | |
| 91 } | |
| 92 } | |
| 93 | |
| 94 void FillResultWithSCTsOfOrigin( | |
| 95 ct::SignedCertificateTimestamp::Origin desired_origin, | |
| 96 size_t num_scts, | |
| 97 ct::CTVerifyResult* result) { | |
| 98 std::vector<std::string> desired_log_ids; | |
| 99 desired_log_ids.push_back(google_log_id_); | |
| 100 FillResultWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, | |
| 101 result); | |
| 102 } | |
| 103 | |
| 104 void FillResultWithRepeatedLogID(const std::string& desired_id, | |
| 105 size_t num_scts, | |
| 106 bool timestamp_past_enforcement_date, | |
| 107 ct::CTVerifyResult* result) { | |
| 108 std::vector<std::string> desired_log_ids(num_scts, desired_id); | |
| 109 | |
| 110 FillResultWithSCTsOfOrigin( | |
| 111 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts, | |
| 112 desired_log_ids, timestamp_past_enforcement_date, result); | |
| 113 } | |
| 114 | |
| 115 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | |
| 116 const base::Time& start, | |
| 117 const base::Time& end, | |
| 118 size_t required_scts) { | |
| 119 scoped_refptr<X509Certificate> cert( | |
| 120 new X509Certificate("subject", "issuer", start, end)); | |
| 121 ct::CTVerifyResult result; | |
| 122 | |
| 123 for (size_t i = 0; i < required_scts - 1; ++i) { | |
| 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 125 1, std::vector<std::string>(), false, &result); | |
| 126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 127 cert.get(), nullptr, result, BoundNetLog())) | |
| 128 << " for: " << (end - start).InDays() << " and " << required_scts | |
| 129 << " scts=" << result.verified_scts.size() << " i=" << i; | |
| 130 } | |
| 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 132 std::vector<std::string>(), false, &result); | |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 134 cert.get(), nullptr, result, BoundNetLog())) | |
| 135 << " for: " << (end - start).InDays() << " and " << required_scts | |
| 136 << " scts=" << result.verified_scts.size(); | |
| 137 } | |
| 138 | |
| 139 protected: | |
| 140 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | |
| 141 scoped_refptr<X509Certificate> chain_; | |
| 142 std::string google_log_id_; | |
| 143 std::string non_google_log_id_; | |
| 144 }; | |
| 145 | |
| 146 TEST_F(CertPolicyEnforcerTest, | |
| 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | |
| 148 ct::CTVerifyResult result; | |
| 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | |
| 150 | |
| 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 152 chain_.get(), nullptr, result, BoundNetLog())); | |
| 153 } | |
| 154 | |
| 155 TEST_F(CertPolicyEnforcerTest, | |
| 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | |
| 157 ct::CTVerifyResult result; | |
| 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | |
| 159 | |
| 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 161 chain_.get(), nullptr, result, BoundNetLog())); | |
| 162 } | |
| 163 | |
| 164 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | |
| 165 ct::CTVerifyResult result; | |
| 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | |
| 167 | |
| 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 169 result, BoundNetLog())); | |
| 170 } | |
| 171 | |
| 172 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | |
| 173 ct::CTVerifyResult result; | |
| 174 FillResultWithSCTsOfOrigin( | |
| 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
| 176 | |
| 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 178 result, BoundNetLog())); | |
| 179 } | |
| 180 | |
| 181 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | |
| 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
| 183 ct::CTVerifyResult result; | |
| 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
| 185 &result); | |
| 186 | |
| 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 188 result, BoundNetLog())); | |
| 189 } | |
| 190 | |
| 191 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | |
| 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | |
| 193 new DummyEVCertsWhitelist(true, false)); | |
| 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
| 195 // However, as there are only two logs, two SCTs will be required - supply one | |
| 196 // to guarantee the test fails. | |
| 197 ct::CTVerifyResult result; | |
| 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 199 &result); | |
| 200 | |
| 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | |
| 203 | |
| 204 // ... but should be OK if whitelisted. | |
| 205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 206 new DummyEVCertsWhitelist(true, true)); | |
| 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 208 chain_.get(), whitelist.get(), result, BoundNetLog())); | |
| 209 } | |
| 210 | |
| 211 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | |
| 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | |
| 213 "subject", "issuer", base::Time(), base::Time::Now())); | |
| 214 ct::CTVerifyResult result; | |
| 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
| 216 &result); | |
| 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | |
| 219 // ... but should be OK if whitelisted. | |
| 220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 221 new DummyEVCertsWhitelist(true, true)); | |
| 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 223 chain_.get(), whitelist.get(), result, BoundNetLog())); | |
| 224 } | |
| 225 | |
| 226 TEST_F(CertPolicyEnforcerTest, | |
| 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | |
| 228 // Test multiple validity periods | |
| 229 const struct TestData { | |
| 230 base::Time validity_start; | |
| 231 base::Time validity_end; | |
| 232 size_t scts_required; | |
| 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | |
| 234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), | |
| 236 2}, | |
| 237 {// Cert valid for exactly 15 months, needs 3 SCTs. | |
| 238 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 239 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), | |
| 240 3}, | |
| 241 {// Cert valid for over 15 months, needs 3 SCTs. | |
| 242 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 243 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), | |
| 244 3}, | |
| 245 {// Cert valid for exactly 27 months, needs 3 SCTs. | |
| 246 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 247 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), | |
| 248 3}, | |
| 249 {// Cert valid for over 27 months, needs 4 SCTs. | |
| 250 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 251 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), | |
| 252 4}, | |
| 253 {// Cert valid for exactly 39 months, needs 4 SCTs. | |
| 254 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 255 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), | |
| 256 4}, | |
| 257 {// Cert valid for over 39 months, needs 5 SCTs. | |
| 258 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | |
| 259 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), | |
| 260 5}}; | |
| 261 | |
| 262 for (size_t i = 0; i < arraysize(kTestData); ++i) { | |
| 263 SCOPED_TRACE(i); | |
| 264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | |
| 265 kTestData[i].validity_start, kTestData[i].validity_end, | |
| 266 kTestData[i].scts_required); | |
| 267 } | |
| 268 } | |
| 269 | |
| 270 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
| 271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 272 new DummyEVCertsWhitelist(true, true)); | |
| 273 | |
| 274 ct::CTVerifyResult result; | |
| 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 276 &result); | |
| 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 278 chain_.get(), whitelist.get(), result, BoundNetLog())); | |
| 279 } | |
| 280 | |
| 281 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | |
| 282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 283 new DummyEVCertsWhitelist(false, true)); | |
| 284 | |
| 285 ct::CTVerifyResult result; | |
| 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 287 &result); | |
| 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 289 chain_.get(), whitelist.get(), result, BoundNetLog())); | |
| 290 } | |
| 291 | |
| 292 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | |
| 293 ct::CTVerifyResult result; | |
| 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 295 &result); | |
| 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 297 chain_.get(), nullptr, result, BoundNetLog())); | |
| 298 } | |
| 299 | |
| 300 } // namespace | |
| 301 | |
| 302 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1579233002:
Rename CertPolicyEnforcer to CTPolicyEnforcer (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master