OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
11 #include "base/version.h" | 11 #include "base/version.h" |
12 #include "crypto/sha2.h" | 12 #include "crypto/sha2.h" |
13 #include "net/base/test_data_directory.h" | 13 #include "net/base/test_data_directory.h" |
14 #include "net/cert/ct_ev_whitelist.h" | 14 #include "net/cert/ct_ev_whitelist.h" |
| 15 #include "net/cert/ct_policy_status.h" |
15 #include "net/cert/ct_verify_result.h" | 16 #include "net/cert/ct_verify_result.h" |
16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
17 #include "net/test/cert_test_util.h" | 18 #include "net/test/cert_test_util.h" |
18 #include "net/test/ct_test_util.h" | 19 #include "net/test/ct_test_util.h" |
19 #include "testing/gmock/include/gmock/gmock.h" | 20 #include "testing/gmock/include/gmock/gmock.h" |
20 #include "testing/gtest/include/gtest/gtest.h" | 21 #include "testing/gtest/include/gtest/gtest.h" |
21 | 22 |
22 namespace net { | 23 namespace net { |
23 | 24 |
24 namespace { | 25 namespace { |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
58 policy_enforcer_.reset(new CTPolicyEnforcer); | 59 policy_enforcer_.reset(new CTPolicyEnforcer); |
59 | 60 |
60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
62 der_test_cert.size()); | 63 der_test_cert.size()); |
63 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 66 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
66 } | 67 } |
67 | 68 |
| 69 // TODO(eranm): Remove the use of CTVerifyResult in this file and just |
| 70 // use lists of verified SCTs. https://crbug.com/587921 |
68 void FillResultWithSCTsOfOrigin( | 71 void FillResultWithSCTsOfOrigin( |
69 ct::SignedCertificateTimestamp::Origin desired_origin, | 72 ct::SignedCertificateTimestamp::Origin desired_origin, |
70 size_t num_scts, | 73 size_t num_scts, |
71 const std::vector<std::string>& desired_log_keys, | 74 const std::vector<std::string>& desired_log_keys, |
72 bool timestamp_past_enforcement_date, | 75 bool timestamp_past_enforcement_date, |
73 ct::CTVerifyResult* result) { | 76 ct::CTVerifyResult* result) { |
74 for (size_t i = 0; i < num_scts; ++i) { | 77 for (size_t i = 0; i < num_scts; ++i) { |
75 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 78 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
76 new ct::SignedCertificateTimestamp()); | 79 new ct::SignedCertificateTimestamp()); |
77 sct->origin = desired_origin; | 80 sct->origin = desired_origin; |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
116 const base::Time& start, | 119 const base::Time& start, |
117 const base::Time& end, | 120 const base::Time& end, |
118 size_t required_scts) { | 121 size_t required_scts) { |
119 scoped_refptr<X509Certificate> cert( | 122 scoped_refptr<X509Certificate> cert( |
120 new X509Certificate("subject", "issuer", start, end)); | 123 new X509Certificate("subject", "issuer", start, end)); |
121 ct::CTVerifyResult result; | 124 ct::CTVerifyResult result; |
122 | 125 |
123 for (size_t i = 0; i < required_scts - 1; ++i) { | 126 for (size_t i = 0; i < required_scts - 1; ++i) { |
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
125 1, std::vector<std::string>(), false, &result); | 128 1, std::vector<std::string>(), false, &result); |
126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 129 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
127 cert.get(), nullptr, result, BoundNetLog())) | 130 policy_enforcer_->DoesConformToCTEVPolicy( |
| 131 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
128 << " for: " << (end - start).InDays() << " and " << required_scts | 132 << " for: " << (end - start).InDays() << " and " << required_scts |
129 << " scts=" << result.verified_scts.size() << " i=" << i; | 133 << " scts=" << result.verified_scts.size() << " i=" << i; |
130 } | 134 } |
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 135 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
132 std::vector<std::string>(), false, &result); | 136 std::vector<std::string>(), false, &result); |
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 137 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
134 cert.get(), nullptr, result, BoundNetLog())) | 138 policy_enforcer_->DoesConformToCTEVPolicy( |
| 139 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 140 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << result.verified_scts.size(); | 141 << " scts=" << result.verified_scts.size(); |
137 } | 142 } |
138 | 143 |
139 protected: | 144 protected: |
140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 145 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
141 scoped_refptr<X509Certificate> chain_; | 146 scoped_refptr<X509Certificate> chain_; |
142 std::string google_log_id_; | 147 std::string google_log_id_; |
143 std::string non_google_log_id_; | 148 std::string non_google_log_id_; |
144 }; | 149 }; |
145 | 150 |
146 TEST_F(CTPolicyEnforcerTest, | 151 TEST_F(CTPolicyEnforcerTest, |
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 152 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
148 ct::CTVerifyResult result; | 153 ct::CTVerifyResult result; |
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 154 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
150 | 155 |
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 156 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
152 chain_.get(), nullptr, result, BoundNetLog())); | 157 policy_enforcer_->DoesConformToCTEVPolicy( |
| 158 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
153 } | 159 } |
154 | 160 |
155 TEST_F(CTPolicyEnforcerTest, | 161 TEST_F(CTPolicyEnforcerTest, |
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
157 ct::CTVerifyResult result; | 163 ct::CTVerifyResult result; |
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 164 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
159 | 165 |
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 166 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
161 chain_.get(), nullptr, result, BoundNetLog())); | 167 policy_enforcer_->DoesConformToCTEVPolicy( |
| 168 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
162 } | 169 } |
163 | 170 |
164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 171 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
165 ct::CTVerifyResult result; | 172 ct::CTVerifyResult result; |
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 173 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
167 | 174 |
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 175 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
169 result, BoundNetLog())); | 176 policy_enforcer_->DoesConformToCTEVPolicy( |
| 177 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
170 } | 178 } |
171 | 179 |
172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 180 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
173 ct::CTVerifyResult result; | 181 ct::CTVerifyResult result; |
174 FillResultWithSCTsOfOrigin( | 182 FillResultWithSCTsOfOrigin( |
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 183 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
176 | 184 |
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
178 result, BoundNetLog())); | 186 policy_enforcer_->DoesConformToCTEVPolicy( |
| 187 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
179 } | 188 } |
180 | 189 |
181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 191 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
183 ct::CTVerifyResult result; | 192 ct::CTVerifyResult result; |
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 193 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
185 &result); | 194 &result); |
186 | 195 |
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
188 result, BoundNetLog())); | 197 policy_enforcer_->DoesConformToCTEVPolicy( |
| 198 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
189 } | 199 } |
190 | 200 |
191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 201 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 202 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
193 new DummyEVCertsWhitelist(true, false)); | 203 new DummyEVCertsWhitelist(true, false)); |
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 204 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
195 // However, as there are only two logs, two SCTs will be required - supply one | 205 // However, as there are only two logs, two SCTs will be required - supply one |
196 // to guarantee the test fails. | 206 // to guarantee the test fails. |
197 ct::CTVerifyResult result; | 207 ct::CTVerifyResult result; |
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 208 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
199 &result); | 209 &result); |
200 | 210 |
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 211 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 212 policy_enforcer_->DoesConformToCTEVPolicy( |
| 213 chain_.get(), non_including_whitelist.get(), |
| 214 result.verified_scts, BoundNetLog())); |
203 | 215 |
204 // ... but should be OK if whitelisted. | 216 // ... but should be OK if whitelisted. |
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 217 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
206 new DummyEVCertsWhitelist(true, true)); | 218 new DummyEVCertsWhitelist(true, true)); |
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 219 EXPECT_EQ( |
208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 220 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 221 policy_enforcer_->DoesConformToCTEVPolicy( |
| 222 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
209 } | 223 } |
210 | 224 |
211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 225 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 226 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
213 "subject", "issuer", base::Time(), base::Time::Now())); | 227 "subject", "issuer", base::Time(), base::Time::Now())); |
214 ct::CTVerifyResult result; | 228 ct::CTVerifyResult result; |
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 229 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
216 &result); | 230 &result); |
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 232 policy_enforcer_->DoesConformToCTEVPolicy( |
| 233 no_valid_dates_cert.get(), nullptr, result.verified_scts, |
| 234 BoundNetLog())); |
219 // ... but should be OK if whitelisted. | 235 // ... but should be OK if whitelisted. |
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 236 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
221 new DummyEVCertsWhitelist(true, true)); | 237 new DummyEVCertsWhitelist(true, true)); |
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 238 EXPECT_EQ( |
223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 239 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 240 policy_enforcer_->DoesConformToCTEVPolicy( |
| 241 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
224 } | 242 } |
225 | 243 |
226 TEST_F(CTPolicyEnforcerTest, | 244 TEST_F(CTPolicyEnforcerTest, |
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 245 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
228 // Test multiple validity periods | 246 // Test multiple validity periods |
229 const struct TestData { | 247 const struct TestData { |
230 base::Time validity_start; | 248 base::Time validity_start; |
231 base::Time validity_end; | 249 base::Time validity_end; |
232 size_t scts_required; | 250 size_t scts_required; |
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 251 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
267 } | 285 } |
268 } | 286 } |
269 | 287 |
270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 288 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 289 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
272 new DummyEVCertsWhitelist(true, true)); | 290 new DummyEVCertsWhitelist(true, true)); |
273 | 291 |
274 ct::CTVerifyResult result; | 292 ct::CTVerifyResult result; |
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 293 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
276 &result); | 294 &result); |
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 295 EXPECT_EQ( |
278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 296 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 297 policy_enforcer_->DoesConformToCTEVPolicy( |
| 298 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
279 } | 299 } |
280 | 300 |
281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 301 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 302 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
283 new DummyEVCertsWhitelist(false, true)); | 303 new DummyEVCertsWhitelist(false, true)); |
284 | 304 |
285 ct::CTVerifyResult result; | 305 ct::CTVerifyResult result; |
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 306 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
287 &result); | 307 &result); |
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 308 EXPECT_EQ( |
289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 309 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 310 policy_enforcer_->DoesConformToCTEVPolicy( |
| 311 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
290 } | 312 } |
291 | 313 |
292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 314 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
293 ct::CTVerifyResult result; | 315 ct::CTVerifyResult result; |
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 316 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
295 &result); | 317 &result); |
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
297 chain_.get(), nullptr, result, BoundNetLog())); | 319 policy_enforcer_->DoesConformToCTEVPolicy( |
| 320 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
298 } | 321 } |
299 | 322 |
300 } // namespace | 323 } // namespace |
301 | 324 |
302 } // namespace net | 325 } // namespace net |
OLD | NEW |