Chromium Code Reviews Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 58 policy_enforcer_.reset(new CTPolicyEnforcer); | 58 policy_enforcer_.reset(new CTPolicyEnforcer); |
| 59 | 59 |
| 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
| 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
| 62 der_test_cert.size()); | 62 der_test_cert.size()); |
| 63 ASSERT_TRUE(chain_.get()); | 63 ASSERT_TRUE(chain_.get()); |
| 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
| 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
| 66 } | 66 } |
| 67 | 67 |
| 68 // TODO(eranm): remove the use of CTVerifyResult in this file and just | |
| 69 // use lists of verified SCTs. | |
|
Ryan Sleevi
2016/02/18 06:46:51
comment nit: s/remove/Remove/ (proper sentence)
co
estark
2016/02/18 19:24:31
Done.
| |
| 68 void FillResultWithSCTsOfOrigin( | 70 void FillResultWithSCTsOfOrigin( |
| 69 ct::SignedCertificateTimestamp::Origin desired_origin, | 71 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 70 size_t num_scts, | 72 size_t num_scts, |
| 71 const std::vector<std::string>& desired_log_keys, | 73 const std::vector<std::string>& desired_log_keys, |
| 72 bool timestamp_past_enforcement_date, | 74 bool timestamp_past_enforcement_date, |
| 73 ct::CTVerifyResult* result) { | 75 ct::CTVerifyResult* result) { |
| 74 for (size_t i = 0; i < num_scts; ++i) { | 76 for (size_t i = 0; i < num_scts; ++i) { |
| 75 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 77 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 76 new ct::SignedCertificateTimestamp()); | 78 new ct::SignedCertificateTimestamp()); |
| 77 sct->origin = desired_origin; | 79 sct->origin = desired_origin; |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 116 const base::Time& start, | 118 const base::Time& start, |
| 117 const base::Time& end, | 119 const base::Time& end, |
| 118 size_t required_scts) { | 120 size_t required_scts) { |
| 119 scoped_refptr<X509Certificate> cert( | 121 scoped_refptr<X509Certificate> cert( |
| 120 new X509Certificate("subject", "issuer", start, end)); | 122 new X509Certificate("subject", "issuer", start, end)); |
| 121 ct::CTVerifyResult result; | 123 ct::CTVerifyResult result; |
| 122 | 124 |
| 123 for (size_t i = 0; i < required_scts - 1; ++i) { | 125 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 126 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 125 1, std::vector<std::string>(), false, &result); | 127 1, std::vector<std::string>(), false, &result); |
| 126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 128 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| 127 cert.get(), nullptr, result, BoundNetLog())) | 129 policy_enforcer_->DoesConformToCTEVPolicy( |
| 130 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
| 128 << " for: " << (end - start).InDays() << " and " << required_scts | 131 << " for: " << (end - start).InDays() << " and " << required_scts |
| 129 << " scts=" << result.verified_scts.size() << " i=" << i; | 132 << " scts=" << result.verified_scts.size() << " i=" << i; |
| 130 } | 133 } |
| 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 134 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 132 std::vector<std::string>(), false, &result); | 135 std::vector<std::string>(), false, &result); |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 136 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| 134 cert.get(), nullptr, result, BoundNetLog())) | 137 policy_enforcer_->DoesConformToCTEVPolicy( |
| 138 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
| 135 << " for: " << (end - start).InDays() << " and " << required_scts | 139 << " for: " << (end - start).InDays() << " and " << required_scts |
| 136 << " scts=" << result.verified_scts.size(); | 140 << " scts=" << result.verified_scts.size(); |
| 137 } | 141 } |
| 138 | 142 |
| 139 protected: | 143 protected: |
| 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 144 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 141 scoped_refptr<X509Certificate> chain_; | 145 scoped_refptr<X509Certificate> chain_; |
| 142 std::string google_log_id_; | 146 std::string google_log_id_; |
| 143 std::string non_google_log_id_; | 147 std::string non_google_log_id_; |
| 144 }; | 148 }; |
| 145 | 149 |
| 146 TEST_F(CTPolicyEnforcerTest, | 150 TEST_F(CTPolicyEnforcerTest, |
| 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 151 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 148 ct::CTVerifyResult result; | 152 ct::CTVerifyResult result; |
| 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 153 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
| 150 | 154 |
| 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 155 EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
| 152 chain_.get(), nullptr, result, BoundNetLog())); | 156 policy_enforcer_->DoesConformToCTEVPolicy( |
| 157 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 153 } | 158 } |
| 154 | 159 |
| 155 TEST_F(CTPolicyEnforcerTest, | 160 TEST_F(CTPolicyEnforcerTest, |
| 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 161 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 157 ct::CTVerifyResult result; | 162 ct::CTVerifyResult result; |
| 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 163 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
| 159 | 164 |
| 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 165 EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
| 161 chain_.get(), nullptr, result, BoundNetLog())); | 166 policy_enforcer_->DoesConformToCTEVPolicy( |
| 167 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 162 } | 168 } |
| 163 | 169 |
| 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 170 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 165 ct::CTVerifyResult result; | 171 ct::CTVerifyResult result; |
| 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 172 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
| 167 | 173 |
| 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 174 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| 169 result, BoundNetLog())); | 175 policy_enforcer_->DoesConformToCTEVPolicy( |
| 176 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 170 } | 177 } |
| 171 | 178 |
| 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 179 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 173 ct::CTVerifyResult result; | 180 ct::CTVerifyResult result; |
| 174 FillResultWithSCTsOfOrigin( | 181 FillResultWithSCTsOfOrigin( |
| 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 182 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 176 | 183 |
| 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 184 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| 178 result, BoundNetLog())); | 185 policy_enforcer_->DoesConformToCTEVPolicy( |
| 186 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 179 } | 187 } |
| 180 | 188 |
| 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 189 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 190 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 183 ct::CTVerifyResult result; | 191 ct::CTVerifyResult result; |
| 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 192 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 185 &result); | 193 &result); |
| 186 | 194 |
| 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 195 EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| 188 result, BoundNetLog())); | 196 policy_enforcer_->DoesConformToCTEVPolicy( |
| 197 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 189 } | 198 } |
| 190 | 199 |
| 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 200 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 201 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 193 new DummyEVCertsWhitelist(true, false)); | 202 new DummyEVCertsWhitelist(true, false)); |
| 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 203 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 195 // However, as there are only two logs, two SCTs will be required - supply one | 204 // However, as there are only two logs, two SCTs will be required - supply one |
| 196 // to guarantee the test fails. | 205 // to guarantee the test fails. |
| 197 ct::CTVerifyResult result; | 206 ct::CTVerifyResult result; |
| 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 207 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 199 &result); | 208 &result); |
| 200 | 209 |
| 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 210 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 211 policy_enforcer_->DoesConformToCTEVPolicy( |
| 212 chain_.get(), non_including_whitelist.get(), | |
| 213 result.verified_scts, BoundNetLog())); | |
| 203 | 214 |
| 204 // ... but should be OK if whitelisted. | 215 // ... but should be OK if whitelisted. |
| 205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 216 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 206 new DummyEVCertsWhitelist(true, true)); | 217 new DummyEVCertsWhitelist(true, true)); |
| 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 218 EXPECT_EQ( |
| 208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 219 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 220 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 221 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
| 209 } | 222 } |
| 210 | 223 |
| 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 225 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 213 "subject", "issuer", base::Time(), base::Time::Now())); | 226 "subject", "issuer", base::Time(), base::Time::Now())); |
| 214 ct::CTVerifyResult result; | 227 ct::CTVerifyResult result; |
| 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 228 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 216 &result); | 229 &result); |
| 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 230 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 231 policy_enforcer_->DoesConformToCTEVPolicy( |
| 232 no_valid_dates_cert.get(), nullptr, result.verified_scts, | |
| 233 BoundNetLog())); | |
| 219 // ... but should be OK if whitelisted. | 234 // ... but should be OK if whitelisted. |
| 220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 235 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 221 new DummyEVCertsWhitelist(true, true)); | 236 new DummyEVCertsWhitelist(true, true)); |
| 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 237 EXPECT_EQ( |
| 223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 238 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 239 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 240 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
| 224 } | 241 } |
| 225 | 242 |
| 226 TEST_F(CTPolicyEnforcerTest, | 243 TEST_F(CTPolicyEnforcerTest, |
| 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 244 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 228 // Test multiple validity periods | 245 // Test multiple validity periods |
| 229 const struct TestData { | 246 const struct TestData { |
| 230 base::Time validity_start; | 247 base::Time validity_start; |
| 231 base::Time validity_end; | 248 base::Time validity_end; |
| 232 size_t scts_required; | 249 size_t scts_required; |
| 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 250 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 267 } | 284 } |
| 268 } | 285 } |
| 269 | 286 |
| 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 287 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 288 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 272 new DummyEVCertsWhitelist(true, true)); | 289 new DummyEVCertsWhitelist(true, true)); |
| 273 | 290 |
| 274 ct::CTVerifyResult result; | 291 ct::CTVerifyResult result; |
| 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 292 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 276 &result); | 293 &result); |
| 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 294 EXPECT_EQ( |
| 278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 295 ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 296 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 297 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
| 279 } | 298 } |
| 280 | 299 |
| 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 300 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 301 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 283 new DummyEVCertsWhitelist(false, true)); | 302 new DummyEVCertsWhitelist(false, true)); |
| 284 | 303 |
| 285 ct::CTVerifyResult result; | 304 ct::CTVerifyResult result; |
| 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 305 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 287 &result); | 306 &result); |
| 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 307 EXPECT_EQ( |
| 289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 308 ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| 309 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 310 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
| 290 } | 311 } |
| 291 | 312 |
| 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 313 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 293 ct::CTVerifyResult result; | 314 ct::CTVerifyResult result; |
| 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 315 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 295 &result); | 316 &result); |
| 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 317 EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| 297 chain_.get(), nullptr, result, BoundNetLog())); | 318 policy_enforcer_->DoesConformToCTEVPolicy( |
| 319 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
| 298 } | 320 } |
| 299 | 321 |
| 300 } // namespace | 322 } // namespace |
| 301 | 323 |
| 302 } // namespace net | 324 } // namespace net |
| OLD | NEW |
