OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
58 policy_enforcer_.reset(new CTPolicyEnforcer); | 58 policy_enforcer_.reset(new CTPolicyEnforcer); |
59 | 59 |
60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
62 der_test_cert.size()); | 62 der_test_cert.size()); |
63 ASSERT_TRUE(chain_.get()); | 63 ASSERT_TRUE(chain_.get()); |
64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
66 } | 66 } |
67 | 67 |
68 // TODO(eranm): remove the use of CTVerifyResult in this file and just | |
69 // use lists of verified SCTs. | |
Ryan Sleevi
2016/02/18 06:46:51
comment nit: s/remove/Remove/ (proper sentence)
co
estark
2016/02/18 19:24:31
Done.
| |
68 void FillResultWithSCTsOfOrigin( | 70 void FillResultWithSCTsOfOrigin( |
69 ct::SignedCertificateTimestamp::Origin desired_origin, | 71 ct::SignedCertificateTimestamp::Origin desired_origin, |
70 size_t num_scts, | 72 size_t num_scts, |
71 const std::vector<std::string>& desired_log_keys, | 73 const std::vector<std::string>& desired_log_keys, |
72 bool timestamp_past_enforcement_date, | 74 bool timestamp_past_enforcement_date, |
73 ct::CTVerifyResult* result) { | 75 ct::CTVerifyResult* result) { |
74 for (size_t i = 0; i < num_scts; ++i) { | 76 for (size_t i = 0; i < num_scts; ++i) { |
75 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 77 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
76 new ct::SignedCertificateTimestamp()); | 78 new ct::SignedCertificateTimestamp()); |
77 sct->origin = desired_origin; | 79 sct->origin = desired_origin; |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
116 const base::Time& start, | 118 const base::Time& start, |
117 const base::Time& end, | 119 const base::Time& end, |
118 size_t required_scts) { | 120 size_t required_scts) { |
119 scoped_refptr<X509Certificate> cert( | 121 scoped_refptr<X509Certificate> cert( |
120 new X509Certificate("subject", "issuer", start, end)); | 122 new X509Certificate("subject", "issuer", start, end)); |
121 ct::CTVerifyResult result; | 123 ct::CTVerifyResult result; |
122 | 124 |
123 for (size_t i = 0; i < required_scts - 1; ++i) { | 125 for (size_t i = 0; i < required_scts - 1; ++i) { |
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 126 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
125 1, std::vector<std::string>(), false, &result); | 127 1, std::vector<std::string>(), false, &result); |
126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 128 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
127 cert.get(), nullptr, result, BoundNetLog())) | 129 policy_enforcer_->DoesConformToCTEVPolicy( |
130 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
128 << " for: " << (end - start).InDays() << " and " << required_scts | 131 << " for: " << (end - start).InDays() << " and " << required_scts |
129 << " scts=" << result.verified_scts.size() << " i=" << i; | 132 << " scts=" << result.verified_scts.size() << " i=" << i; |
130 } | 133 } |
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 134 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
132 std::vector<std::string>(), false, &result); | 135 std::vector<std::string>(), false, &result); |
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 136 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
134 cert.get(), nullptr, result, BoundNetLog())) | 137 policy_enforcer_->DoesConformToCTEVPolicy( |
138 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 139 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << result.verified_scts.size(); | 140 << " scts=" << result.verified_scts.size(); |
137 } | 141 } |
138 | 142 |
139 protected: | 143 protected: |
140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 144 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
141 scoped_refptr<X509Certificate> chain_; | 145 scoped_refptr<X509Certificate> chain_; |
142 std::string google_log_id_; | 146 std::string google_log_id_; |
143 std::string non_google_log_id_; | 147 std::string non_google_log_id_; |
144 }; | 148 }; |
145 | 149 |
146 TEST_F(CTPolicyEnforcerTest, | 150 TEST_F(CTPolicyEnforcerTest, |
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 151 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
148 ct::CTVerifyResult result; | 152 ct::CTVerifyResult result; |
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 153 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
150 | 154 |
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 155 EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
152 chain_.get(), nullptr, result, BoundNetLog())); | 156 policy_enforcer_->DoesConformToCTEVPolicy( |
157 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
153 } | 158 } |
154 | 159 |
155 TEST_F(CTPolicyEnforcerTest, | 160 TEST_F(CTPolicyEnforcerTest, |
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 161 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
157 ct::CTVerifyResult result; | 162 ct::CTVerifyResult result; |
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 163 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
159 | 164 |
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 165 EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
161 chain_.get(), nullptr, result, BoundNetLog())); | 166 policy_enforcer_->DoesConformToCTEVPolicy( |
167 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
162 } | 168 } |
163 | 169 |
164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 170 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
165 ct::CTVerifyResult result; | 171 ct::CTVerifyResult result; |
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 172 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
167 | 173 |
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 174 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
169 result, BoundNetLog())); | 175 policy_enforcer_->DoesConformToCTEVPolicy( |
176 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
170 } | 177 } |
171 | 178 |
172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 179 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
173 ct::CTVerifyResult result; | 180 ct::CTVerifyResult result; |
174 FillResultWithSCTsOfOrigin( | 181 FillResultWithSCTsOfOrigin( |
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 182 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
176 | 183 |
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 184 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
178 result, BoundNetLog())); | 185 policy_enforcer_->DoesConformToCTEVPolicy( |
186 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
179 } | 187 } |
180 | 188 |
181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 189 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 190 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
183 ct::CTVerifyResult result; | 191 ct::CTVerifyResult result; |
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 192 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
185 &result); | 193 &result); |
186 | 194 |
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 195 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
188 result, BoundNetLog())); | 196 policy_enforcer_->DoesConformToCTEVPolicy( |
197 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
189 } | 198 } |
190 | 199 |
191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 200 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 201 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
193 new DummyEVCertsWhitelist(true, false)); | 202 new DummyEVCertsWhitelist(true, false)); |
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 203 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
195 // However, as there are only two logs, two SCTs will be required - supply one | 204 // However, as there are only two logs, two SCTs will be required - supply one |
196 // to guarantee the test fails. | 205 // to guarantee the test fails. |
197 ct::CTVerifyResult result; | 206 ct::CTVerifyResult result; |
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 207 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
199 &result); | 208 &result); |
200 | 209 |
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 210 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 211 policy_enforcer_->DoesConformToCTEVPolicy( |
212 chain_.get(), non_including_whitelist.get(), | |
213 result.verified_scts, BoundNetLog())); | |
203 | 214 |
204 // ... but should be OK if whitelisted. | 215 // ... but should be OK if whitelisted. |
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 216 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
206 new DummyEVCertsWhitelist(true, true)); | 217 new DummyEVCertsWhitelist(true, true)); |
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 218 EXPECT_EQ( |
208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 219 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
220 policy_enforcer_->DoesConformToCTEVPolicy( | |
221 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
209 } | 222 } |
210 | 223 |
211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 225 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
213 "subject", "issuer", base::Time(), base::Time::Now())); | 226 "subject", "issuer", base::Time(), base::Time::Now())); |
214 ct::CTVerifyResult result; | 227 ct::CTVerifyResult result; |
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 228 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
216 &result); | 229 &result); |
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 230 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 231 policy_enforcer_->DoesConformToCTEVPolicy( |
232 no_valid_dates_cert.get(), nullptr, result.verified_scts, | |
233 BoundNetLog())); | |
219 // ... but should be OK if whitelisted. | 234 // ... but should be OK if whitelisted. |
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 235 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
221 new DummyEVCertsWhitelist(true, true)); | 236 new DummyEVCertsWhitelist(true, true)); |
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 237 EXPECT_EQ( |
223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 238 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
239 policy_enforcer_->DoesConformToCTEVPolicy( | |
240 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
224 } | 241 } |
225 | 242 |
226 TEST_F(CTPolicyEnforcerTest, | 243 TEST_F(CTPolicyEnforcerTest, |
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 244 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
228 // Test multiple validity periods | 245 // Test multiple validity periods |
229 const struct TestData { | 246 const struct TestData { |
230 base::Time validity_start; | 247 base::Time validity_start; |
231 base::Time validity_end; | 248 base::Time validity_end; |
232 size_t scts_required; | 249 size_t scts_required; |
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 250 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
267 } | 284 } |
268 } | 285 } |
269 | 286 |
270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 287 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 288 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
272 new DummyEVCertsWhitelist(true, true)); | 289 new DummyEVCertsWhitelist(true, true)); |
273 | 290 |
274 ct::CTVerifyResult result; | 291 ct::CTVerifyResult result; |
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 292 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
276 &result); | 293 &result); |
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 294 EXPECT_EQ( |
278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 295 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
296 policy_enforcer_->DoesConformToCTEVPolicy( | |
297 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
279 } | 298 } |
280 | 299 |
281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 300 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 301 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
283 new DummyEVCertsWhitelist(false, true)); | 302 new DummyEVCertsWhitelist(false, true)); |
284 | 303 |
285 ct::CTVerifyResult result; | 304 ct::CTVerifyResult result; |
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 305 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
287 &result); | 306 &result); |
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 307 EXPECT_EQ( |
289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 308 ct::EV_POLICY_NOT_ENOUGH_SCTS, |
309 policy_enforcer_->DoesConformToCTEVPolicy( | |
310 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
290 } | 311 } |
291 | 312 |
292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 313 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
293 ct::CTVerifyResult result; | 314 ct::CTVerifyResult result; |
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 315 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
295 &result); | 316 &result); |
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 317 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
297 chain_.get(), nullptr, result, BoundNetLog())); | 318 policy_enforcer_->DoesConformToCTEVPolicy( |
319 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
298 } | 320 } |
299 | 321 |
300 } // namespace | 322 } // namespace |
301 | 323 |
302 } // namespace net | 324 } // namespace net |
OLD | NEW |