Index: net/cert/cert_policy_enforcer_unittest.cc |
diff --git a/net/cert/cert_policy_enforcer_unittest.cc b/net/cert/cert_policy_enforcer_unittest.cc |
deleted file mode 100644 |
index 2facbc264e9a2094a806f36254d1ce5a463a6ebf..0000000000000000000000000000000000000000 |
--- a/net/cert/cert_policy_enforcer_unittest.cc |
+++ /dev/null |
@@ -1,302 +0,0 @@ |
-// Copyright 2014 The Chromium Authors. All rights reserved. |
-// Use of this source code is governed by a BSD-style license that can be |
-// found in the LICENSE file. |
- |
-#include "net/cert/cert_policy_enforcer.h" |
- |
-#include <string> |
- |
-#include "base/memory/scoped_ptr.h" |
-#include "base/time/time.h" |
-#include "base/version.h" |
-#include "crypto/sha2.h" |
-#include "net/base/test_data_directory.h" |
-#include "net/cert/ct_ev_whitelist.h" |
-#include "net/cert/ct_verify_result.h" |
-#include "net/cert/x509_certificate.h" |
-#include "net/test/cert_test_util.h" |
-#include "net/test/ct_test_util.h" |
-#include "testing/gmock/include/gmock/gmock.h" |
-#include "testing/gtest/include/gtest/gtest.h" |
- |
-namespace net { |
- |
-namespace { |
- |
-class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { |
- public: |
- DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) |
- : canned_is_valid_(is_valid_response), |
- canned_contains_response_(contains_hash_response) {} |
- |
- bool IsValid() const override { return canned_is_valid_; } |
- |
- bool ContainsCertificateHash( |
- const std::string& certificate_hash) const override { |
- return canned_contains_response_; |
- } |
- |
- base::Version Version() const override { return base::Version(); } |
- |
- protected: |
- ~DummyEVCertsWhitelist() override {} |
- |
- private: |
- bool canned_is_valid_; |
- bool canned_contains_response_; |
-}; |
- |
-const char kGoogleAviatorLogID[] = |
- "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" |
- "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; |
-static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, |
- "Incorrect log ID length."); |
- |
-class CertPolicyEnforcerTest : public ::testing::Test { |
- public: |
- void SetUp() override { |
- policy_enforcer_.reset(new CertPolicyEnforcer); |
- |
- std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
- chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
- der_test_cert.size()); |
- ASSERT_TRUE(chain_.get()); |
- google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
- non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
- } |
- |
- void FillResultWithSCTsOfOrigin( |
- ct::SignedCertificateTimestamp::Origin desired_origin, |
- size_t num_scts, |
- const std::vector<std::string>& desired_log_keys, |
- bool timestamp_past_enforcement_date, |
- ct::CTVerifyResult* result) { |
- for (size_t i = 0; i < num_scts; ++i) { |
- scoped_refptr<ct::SignedCertificateTimestamp> sct( |
- new ct::SignedCertificateTimestamp()); |
- sct->origin = desired_origin; |
- if (i < desired_log_keys.size()) |
- sct->log_id = desired_log_keys[i]; |
- else |
- sct->log_id = non_google_log_id_; |
- |
- if (timestamp_past_enforcement_date) |
- sct->timestamp = |
- base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); |
- else |
- sct->timestamp = |
- base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); |
- |
- result->verified_scts.push_back(sct); |
- } |
- } |
- |
- void FillResultWithSCTsOfOrigin( |
- ct::SignedCertificateTimestamp::Origin desired_origin, |
- size_t num_scts, |
- ct::CTVerifyResult* result) { |
- std::vector<std::string> desired_log_ids; |
- desired_log_ids.push_back(google_log_id_); |
- FillResultWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, |
- result); |
- } |
- |
- void FillResultWithRepeatedLogID(const std::string& desired_id, |
- size_t num_scts, |
- bool timestamp_past_enforcement_date, |
- ct::CTVerifyResult* result) { |
- std::vector<std::string> desired_log_ids(num_scts, desired_id); |
- |
- FillResultWithSCTsOfOrigin( |
- ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts, |
- desired_log_ids, timestamp_past_enforcement_date, result); |
- } |
- |
- void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
- const base::Time& start, |
- const base::Time& end, |
- size_t required_scts) { |
- scoped_refptr<X509Certificate> cert( |
- new X509Certificate("subject", "issuer", start, end)); |
- ct::CTVerifyResult result; |
- |
- for (size_t i = 0; i < required_scts - 1; ++i) { |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
- 1, std::vector<std::string>(), false, &result); |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- cert.get(), nullptr, result, BoundNetLog())) |
- << " for: " << (end - start).InDays() << " and " << required_scts |
- << " scts=" << result.verified_scts.size() << " i=" << i; |
- } |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
- std::vector<std::string>(), false, &result); |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
- cert.get(), nullptr, result, BoundNetLog())) |
- << " for: " << (end - start).InDays() << " and " << required_scts |
- << " scts=" << result.verified_scts.size(); |
- } |
- |
- protected: |
- scoped_ptr<CertPolicyEnforcer> policy_enforcer_; |
- scoped_refptr<X509Certificate> chain_; |
- std::string google_log_id_; |
- std::string non_google_log_id_; |
-}; |
- |
-TEST_F(CertPolicyEnforcerTest, |
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
- ct::CTVerifyResult result; |
- FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
- |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, |
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
- ct::CTVerifyResult result; |
- FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
- |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
- ct::CTVerifyResult result; |
- FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
- |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
- result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin( |
- ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
- |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
- result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
- // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
- &result); |
- |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
- result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
- scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
- new DummyEVCertsWhitelist(true, false)); |
- // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
- // However, as there are only two logs, two SCTs will be required - supply one |
- // to guarantee the test fails. |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
- &result); |
- |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); |
- |
- // ... but should be OK if whitelisted. |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(true, true)); |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
- scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
- "subject", "issuer", base::Time(), base::Time::Now())); |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
- &result); |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); |
- // ... but should be OK if whitelisted. |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(true, true)); |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, |
- ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
- // Test multiple validity periods |
- const struct TestData { |
- base::Time validity_start; |
- base::Time validity_end; |
- size_t scts_required; |
- } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), |
- 2}, |
- {// Cert valid for exactly 15 months, needs 3 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), |
- 3}, |
- {// Cert valid for over 15 months, needs 3 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), |
- 3}, |
- {// Cert valid for exactly 27 months, needs 3 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), |
- 3}, |
- {// Cert valid for over 27 months, needs 4 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), |
- 4}, |
- {// Cert valid for exactly 39 months, needs 4 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), |
- 4}, |
- {// Cert valid for over 39 months, needs 5 SCTs. |
- base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}), |
- base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), |
- 5}}; |
- |
- for (size_t i = 0; i < arraysize(kTestData); ++i) { |
- SCOPED_TRACE(i); |
- CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
- kTestData[i].validity_start, kTestData[i].validity_end, |
- kTestData[i].scts_required); |
- } |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(true, true)); |
- |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
- &result); |
- EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(false, true)); |
- |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
- &result); |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), result, BoundNetLog())); |
-} |
- |
-TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
- ct::CTVerifyResult result; |
- FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
- &result); |
- EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, result, BoundNetLog())); |
-} |
- |
-} // namespace |
- |
-} // namespace net |