Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(341)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1579233002: Rename CertPolicyEnforcer to CTPolicyEnforcer (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | net/http/http_network_session.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/memory/scoped_ptr.h" 9 #include "base/memory/scoped_ptr.h"
10 #include "base/time/time.h" 10 #include "base/time/time.h"
11 #include "base/version.h" 11 #include "base/version.h"
12 #include "crypto/sha2.h" 12 #include "crypto/sha2.h"
13 #include "net/base/test_data_directory.h" 13 #include "net/base/test_data_directory.h"
14 #include "net/cert/ct_ev_whitelist.h" 14 #include "net/cert/ct_ev_whitelist.h"
15 #include "net/cert/ct_verify_result.h" 15 #include "net/cert/ct_verify_result.h"
(...skipping 29 matching lines...) Expand all
45 bool canned_is_valid_; 45 bool canned_is_valid_;
46 bool canned_contains_response_; 46 bool canned_contains_response_;
47 }; 47 };
48 48
49 const char kGoogleAviatorLogID[] = 49 const char kGoogleAviatorLogID[] =
50 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" 50 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
51 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; 51 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4";
52 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, 52 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length,
53 "Incorrect log ID length."); 53 "Incorrect log ID length.");
54 54
55 class CertPolicyEnforcerTest : public ::testing::Test { 55 class CTPolicyEnforcerTest : public ::testing::Test {
56 public: 56 public:
57 void SetUp() override { 57 void SetUp() override {
58 policy_enforcer_.reset(new CertPolicyEnforcer); 58 policy_enforcer_.reset(new CTPolicyEnforcer);
59 59
60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); 60 std::string der_test_cert(ct::GetDerEncodedX509Cert());
61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
62 der_test_cert.size()); 62 der_test_cert.size());
63 ASSERT_TRUE(chain_.get()); 63 ASSERT_TRUE(chain_.get());
64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length);
65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A');
66 } 66 }
67 67
68 void FillResultWithSCTsOfOrigin( 68 void FillResultWithSCTsOfOrigin(
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after
130 } 130 }
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
132 std::vector<std::string>(), false, &result); 132 std::vector<std::string>(), false, &result);
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
134 cert.get(), nullptr, result, BoundNetLog())) 134 cert.get(), nullptr, result, BoundNetLog()))
135 << " for: " << (end - start).InDays() << " and " << required_scts 135 << " for: " << (end - start).InDays() << " and " << required_scts
136 << " scts=" << result.verified_scts.size(); 136 << " scts=" << result.verified_scts.size();
137 } 137 }
138 138
139 protected: 139 protected:
140 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
141 scoped_refptr<X509Certificate> chain_; 141 scoped_refptr<X509Certificate> chain_;
142 std::string google_log_id_; 142 std::string google_log_id_;
143 std::string non_google_log_id_; 143 std::string non_google_log_id_;
144 }; 144 };
145 145
146 TEST_F(CertPolicyEnforcerTest, 146 TEST_F(CTPolicyEnforcerTest,
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
148 ct::CTVerifyResult result; 148 ct::CTVerifyResult result;
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
150 150
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
152 chain_.get(), nullptr, result, BoundNetLog())); 152 chain_.get(), nullptr, result, BoundNetLog()));
153 } 153 }
154 154
155 TEST_F(CertPolicyEnforcerTest, 155 TEST_F(CTPolicyEnforcerTest,
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
157 ct::CTVerifyResult result; 157 ct::CTVerifyResult result;
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
159 159
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
161 chain_.get(), nullptr, result, BoundNetLog())); 161 chain_.get(), nullptr, result, BoundNetLog()));
162 } 162 }
163 163
164 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
165 ct::CTVerifyResult result; 165 ct::CTVerifyResult result;
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
167 167
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
169 result, BoundNetLog())); 169 result, BoundNetLog()));
170 } 170 }
171 171
172 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
173 ct::CTVerifyResult result; 173 ct::CTVerifyResult result;
174 FillResultWithSCTsOfOrigin( 174 FillResultWithSCTsOfOrigin(
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
176 176
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
178 result, BoundNetLog())); 178 result, BoundNetLog()));
179 } 179 }
180 180
181 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
183 ct::CTVerifyResult result; 183 ct::CTVerifyResult result;
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
185 &result); 185 &result);
186 186
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
188 result, BoundNetLog())); 188 result, BoundNetLog()));
189 } 189 }
190 190
191 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
193 new DummyEVCertsWhitelist(true, false)); 193 new DummyEVCertsWhitelist(true, false));
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
195 // However, as there are only two logs, two SCTs will be required - supply one 195 // However, as there are only two logs, two SCTs will be required - supply one
196 // to guarantee the test fails. 196 // to guarantee the test fails.
197 ct::CTVerifyResult result; 197 ct::CTVerifyResult result;
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
199 &result); 199 &result);
200 200
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
203 203
204 // ... but should be OK if whitelisted. 204 // ... but should be OK if whitelisted.
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( 205 scoped_refptr<ct::EVCertsWhitelist> whitelist(
206 new DummyEVCertsWhitelist(true, true)); 206 new DummyEVCertsWhitelist(true, true));
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
208 chain_.get(), whitelist.get(), result, BoundNetLog())); 208 chain_.get(), whitelist.get(), result, BoundNetLog()));
209 } 209 }
210 210
211 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
213 "subject", "issuer", base::Time(), base::Time::Now())); 213 "subject", "issuer", base::Time(), base::Time::Now()));
214 ct::CTVerifyResult result; 214 ct::CTVerifyResult result;
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
216 &result); 216 &result);
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
219 // ... but should be OK if whitelisted. 219 // ... but should be OK if whitelisted.
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( 220 scoped_refptr<ct::EVCertsWhitelist> whitelist(
221 new DummyEVCertsWhitelist(true, true)); 221 new DummyEVCertsWhitelist(true, true));
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
223 chain_.get(), whitelist.get(), result, BoundNetLog())); 223 chain_.get(), whitelist.get(), result, BoundNetLog()));
224 } 224 }
225 225
226 TEST_F(CertPolicyEnforcerTest, 226 TEST_F(CTPolicyEnforcerTest,
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
228 // Test multiple validity periods 228 // Test multiple validity periods
229 const struct TestData { 229 const struct TestData {
230 base::Time validity_start; 230 base::Time validity_start;
231 base::Time validity_end; 231 base::Time validity_end;
232 size_t scts_required; 232 size_t scts_required;
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), 234 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), 235 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
236 2}, 236 2},
(...skipping 23 matching lines...) Expand all
260 5}}; 260 5}};
261 261
262 for (size_t i = 0; i < arraysize(kTestData); ++i) { 262 for (size_t i = 0; i < arraysize(kTestData); ++i) {
263 SCOPED_TRACE(i); 263 SCOPED_TRACE(i);
264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( 264 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
265 kTestData[i].validity_start, kTestData[i].validity_end, 265 kTestData[i].validity_start, kTestData[i].validity_end,
266 kTestData[i].scts_required); 266 kTestData[i].scts_required);
267 } 267 }
268 } 268 }
269 269
270 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( 271 scoped_refptr<ct::EVCertsWhitelist> whitelist(
272 new DummyEVCertsWhitelist(true, true)); 272 new DummyEVCertsWhitelist(true, true));
273 273
274 ct::CTVerifyResult result; 274 ct::CTVerifyResult result;
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
276 &result); 276 &result);
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
278 chain_.get(), whitelist.get(), result, BoundNetLog())); 278 chain_.get(), whitelist.get(), result, BoundNetLog()));
279 } 279 }
280 280
281 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( 282 scoped_refptr<ct::EVCertsWhitelist> whitelist(
283 new DummyEVCertsWhitelist(false, true)); 283 new DummyEVCertsWhitelist(false, true));
284 284
285 ct::CTVerifyResult result; 285 ct::CTVerifyResult result;
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
287 &result); 287 &result);
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
289 chain_.get(), whitelist.get(), result, BoundNetLog())); 289 chain_.get(), whitelist.get(), result, BoundNetLog()));
290 } 290 }
291 291
292 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
293 ct::CTVerifyResult result; 293 ct::CTVerifyResult result;
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
295 &result); 295 &result);
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
297 chain_.get(), nullptr, result, BoundNetLog())); 297 chain_.get(), nullptr, result, BoundNetLog()));
298 } 298 }
299 299
300 } // namespace 300 } // namespace
301 301
302 } // namespace net 302 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | net/http/http_network_session.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698