OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
11 #include "base/version.h" | 11 #include "base/version.h" |
12 #include "crypto/sha2.h" | 12 #include "crypto/sha2.h" |
13 #include "net/base/test_data_directory.h" | 13 #include "net/base/test_data_directory.h" |
14 #include "net/cert/ct_ev_whitelist.h" | 14 #include "net/cert/ct_ev_whitelist.h" |
15 #include "net/cert/ct_verify_result.h" | 15 #include "net/cert/ct_verify_result.h" |
(...skipping 29 matching lines...) Expand all Loading... |
45 bool canned_is_valid_; | 45 bool canned_is_valid_; |
46 bool canned_contains_response_; | 46 bool canned_contains_response_; |
47 }; | 47 }; |
48 | 48 |
49 const char kGoogleAviatorLogID[] = | 49 const char kGoogleAviatorLogID[] = |
50 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" | 50 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" |
51 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; | 51 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; |
52 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, | 52 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, |
53 "Incorrect log ID length."); | 53 "Incorrect log ID length."); |
54 | 54 |
55 class CertPolicyEnforcerTest : public ::testing::Test { | 55 class CTPolicyEnforcerTest : public ::testing::Test { |
56 public: | 56 public: |
57 void SetUp() override { | 57 void SetUp() override { |
58 policy_enforcer_.reset(new CertPolicyEnforcer); | 58 policy_enforcer_.reset(new CTPolicyEnforcer); |
59 | 59 |
60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
62 der_test_cert.size()); | 62 der_test_cert.size()); |
63 ASSERT_TRUE(chain_.get()); | 63 ASSERT_TRUE(chain_.get()); |
64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
66 } | 66 } |
67 | 67 |
68 void FillResultWithSCTsOfOrigin( | 68 void FillResultWithSCTsOfOrigin( |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
130 } | 130 } |
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
132 std::vector<std::string>(), false, &result); | 132 std::vector<std::string>(), false, &result); |
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
134 cert.get(), nullptr, result, BoundNetLog())) | 134 cert.get(), nullptr, result, BoundNetLog())) |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 135 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << result.verified_scts.size(); | 136 << " scts=" << result.verified_scts.size(); |
137 } | 137 } |
138 | 138 |
139 protected: | 139 protected: |
140 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
141 scoped_refptr<X509Certificate> chain_; | 141 scoped_refptr<X509Certificate> chain_; |
142 std::string google_log_id_; | 142 std::string google_log_id_; |
143 std::string non_google_log_id_; | 143 std::string non_google_log_id_; |
144 }; | 144 }; |
145 | 145 |
146 TEST_F(CertPolicyEnforcerTest, | 146 TEST_F(CTPolicyEnforcerTest, |
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
148 ct::CTVerifyResult result; | 148 ct::CTVerifyResult result; |
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
150 | 150 |
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
152 chain_.get(), nullptr, result, BoundNetLog())); | 152 chain_.get(), nullptr, result, BoundNetLog())); |
153 } | 153 } |
154 | 154 |
155 TEST_F(CertPolicyEnforcerTest, | 155 TEST_F(CTPolicyEnforcerTest, |
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
157 ct::CTVerifyResult result; | 157 ct::CTVerifyResult result; |
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
159 | 159 |
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
161 chain_.get(), nullptr, result, BoundNetLog())); | 161 chain_.get(), nullptr, result, BoundNetLog())); |
162 } | 162 } |
163 | 163 |
164 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
165 ct::CTVerifyResult result; | 165 ct::CTVerifyResult result; |
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
167 | 167 |
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
169 result, BoundNetLog())); | 169 result, BoundNetLog())); |
170 } | 170 } |
171 | 171 |
172 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
173 ct::CTVerifyResult result; | 173 ct::CTVerifyResult result; |
174 FillResultWithSCTsOfOrigin( | 174 FillResultWithSCTsOfOrigin( |
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
176 | 176 |
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
178 result, BoundNetLog())); | 178 result, BoundNetLog())); |
179 } | 179 } |
180 | 180 |
181 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
183 ct::CTVerifyResult result; | 183 ct::CTVerifyResult result; |
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
185 &result); | 185 &result); |
186 | 186 |
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
188 result, BoundNetLog())); | 188 result, BoundNetLog())); |
189 } | 189 } |
190 | 190 |
191 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
193 new DummyEVCertsWhitelist(true, false)); | 193 new DummyEVCertsWhitelist(true, false)); |
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
195 // However, as there are only two logs, two SCTs will be required - supply one | 195 // However, as there are only two logs, two SCTs will be required - supply one |
196 // to guarantee the test fails. | 196 // to guarantee the test fails. |
197 ct::CTVerifyResult result; | 197 ct::CTVerifyResult result; |
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
199 &result); | 199 &result); |
200 | 200 |
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); |
203 | 203 |
204 // ... but should be OK if whitelisted. | 204 // ... but should be OK if whitelisted. |
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 205 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
206 new DummyEVCertsWhitelist(true, true)); | 206 new DummyEVCertsWhitelist(true, true)); |
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 208 chain_.get(), whitelist.get(), result, BoundNetLog())); |
209 } | 209 } |
210 | 210 |
211 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
213 "subject", "issuer", base::Time(), base::Time::Now())); | 213 "subject", "issuer", base::Time(), base::Time::Now())); |
214 ct::CTVerifyResult result; | 214 ct::CTVerifyResult result; |
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
216 &result); | 216 &result); |
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); |
219 // ... but should be OK if whitelisted. | 219 // ... but should be OK if whitelisted. |
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 220 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
221 new DummyEVCertsWhitelist(true, true)); | 221 new DummyEVCertsWhitelist(true, true)); |
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 223 chain_.get(), whitelist.get(), result, BoundNetLog())); |
224 } | 224 } |
225 | 225 |
226 TEST_F(CertPolicyEnforcerTest, | 226 TEST_F(CTPolicyEnforcerTest, |
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
228 // Test multiple validity periods | 228 // Test multiple validity periods |
229 const struct TestData { | 229 const struct TestData { |
230 base::Time validity_start; | 230 base::Time validity_start; |
231 base::Time validity_end; | 231 base::Time validity_end; |
232 size_t scts_required; | 232 size_t scts_required; |
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), | 234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), | 235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), |
236 2}, | 236 2}, |
(...skipping 23 matching lines...) Expand all Loading... |
260 5}}; | 260 5}}; |
261 | 261 |
262 for (size_t i = 0; i < arraysize(kTestData); ++i) { | 262 for (size_t i = 0; i < arraysize(kTestData); ++i) { |
263 SCOPED_TRACE(i); | 263 SCOPED_TRACE(i); |
264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | 264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
265 kTestData[i].validity_start, kTestData[i].validity_end, | 265 kTestData[i].validity_start, kTestData[i].validity_end, |
266 kTestData[i].scts_required); | 266 kTestData[i].scts_required); |
267 } | 267 } |
268 } | 268 } |
269 | 269 |
270 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 271 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
272 new DummyEVCertsWhitelist(true, true)); | 272 new DummyEVCertsWhitelist(true, true)); |
273 | 273 |
274 ct::CTVerifyResult result; | 274 ct::CTVerifyResult result; |
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
276 &result); | 276 &result); |
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 278 chain_.get(), whitelist.get(), result, BoundNetLog())); |
279 } | 279 } |
280 | 280 |
281 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 282 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
283 new DummyEVCertsWhitelist(false, true)); | 283 new DummyEVCertsWhitelist(false, true)); |
284 | 284 |
285 ct::CTVerifyResult result; | 285 ct::CTVerifyResult result; |
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
287 &result); | 287 &result); |
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 289 chain_.get(), whitelist.get(), result, BoundNetLog())); |
290 } | 290 } |
291 | 291 |
292 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
293 ct::CTVerifyResult result; | 293 ct::CTVerifyResult result; |
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
295 &result); | 295 &result); |
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
297 chain_.get(), nullptr, result, BoundNetLog())); | 297 chain_.get(), nullptr, result, BoundNetLog())); |
298 } | 298 } |
299 | 299 |
300 } // namespace | 300 } // namespace |
301 | 301 |
302 } // namespace net | 302 } // namespace net |
OLD | NEW |