| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| 11 #include "base/version.h" | 11 #include "base/version.h" |
| 12 #include "crypto/sha2.h" | 12 #include "crypto/sha2.h" |
| 13 #include "net/base/test_data_directory.h" | 13 #include "net/base/test_data_directory.h" |
| 14 #include "net/cert/ct_ev_whitelist.h" | 14 #include "net/cert/ct_ev_whitelist.h" |
| 15 #include "net/cert/ct_policy_status.h" |
| 15 #include "net/cert/ct_verify_result.h" | 16 #include "net/cert/ct_verify_result.h" |
| 16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
| 17 #include "net/test/cert_test_util.h" | 18 #include "net/test/cert_test_util.h" |
| 18 #include "net/test/ct_test_util.h" | 19 #include "net/test/ct_test_util.h" |
| 19 #include "testing/gmock/include/gmock/gmock.h" | 20 #include "testing/gmock/include/gmock/gmock.h" |
| 20 #include "testing/gtest/include/gtest/gtest.h" | 21 #include "testing/gtest/include/gtest/gtest.h" |
| 21 | 22 |
| 22 namespace net { | 23 namespace net { |
| 23 | 24 |
| 24 namespace { | 25 namespace { |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 58 policy_enforcer_.reset(new CTPolicyEnforcer); | 59 policy_enforcer_.reset(new CTPolicyEnforcer); |
| 59 | 60 |
| 60 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
| 61 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
| 62 der_test_cert.size()); | 63 der_test_cert.size()); |
| 63 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
| 64 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
| 65 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 66 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
| 66 } | 67 } |
| 67 | 68 |
| 69 // TODO(eranm): Remove the use of CTVerifyResult in this file and just |
| 70 // use lists of verified SCTs. https://crbug.com/587921 |
| 68 void FillResultWithSCTsOfOrigin( | 71 void FillResultWithSCTsOfOrigin( |
| 69 ct::SignedCertificateTimestamp::Origin desired_origin, | 72 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 70 size_t num_scts, | 73 size_t num_scts, |
| 71 const std::vector<std::string>& desired_log_keys, | 74 const std::vector<std::string>& desired_log_keys, |
| 72 bool timestamp_past_enforcement_date, | 75 bool timestamp_past_enforcement_date, |
| 73 ct::CTVerifyResult* result) { | 76 ct::CTVerifyResult* result) { |
| 74 for (size_t i = 0; i < num_scts; ++i) { | 77 for (size_t i = 0; i < num_scts; ++i) { |
| 75 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 78 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 76 new ct::SignedCertificateTimestamp()); | 79 new ct::SignedCertificateTimestamp()); |
| 77 sct->origin = desired_origin; | 80 sct->origin = desired_origin; |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 116 const base::Time& start, | 119 const base::Time& start, |
| 117 const base::Time& end, | 120 const base::Time& end, |
| 118 size_t required_scts) { | 121 size_t required_scts) { |
| 119 scoped_refptr<X509Certificate> cert( | 122 scoped_refptr<X509Certificate> cert( |
| 120 new X509Certificate("subject", "issuer", start, end)); | 123 new X509Certificate("subject", "issuer", start, end)); |
| 121 ct::CTVerifyResult result; | 124 ct::CTVerifyResult result; |
| 122 | 125 |
| 123 for (size_t i = 0; i < required_scts - 1; ++i) { | 126 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 125 1, std::vector<std::string>(), false, &result); | 128 1, std::vector<std::string>(), false, &result); |
| 126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 129 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 127 cert.get(), nullptr, result, BoundNetLog())) | 130 policy_enforcer_->DoesConformToCTEVPolicy( |
| 131 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
| 128 << " for: " << (end - start).InDays() << " and " << required_scts | 132 << " for: " << (end - start).InDays() << " and " << required_scts |
| 129 << " scts=" << result.verified_scts.size() << " i=" << i; | 133 << " scts=" << result.verified_scts.size() << " i=" << i; |
| 130 } | 134 } |
| 131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 135 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 132 std::vector<std::string>(), false, &result); | 136 std::vector<std::string>(), false, &result); |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 137 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 134 cert.get(), nullptr, result, BoundNetLog())) | 138 policy_enforcer_->DoesConformToCTEVPolicy( |
| 139 cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
| 135 << " for: " << (end - start).InDays() << " and " << required_scts | 140 << " for: " << (end - start).InDays() << " and " << required_scts |
| 136 << " scts=" << result.verified_scts.size(); | 141 << " scts=" << result.verified_scts.size(); |
| 137 } | 142 } |
| 138 | 143 |
| 139 protected: | 144 protected: |
| 140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 145 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 141 scoped_refptr<X509Certificate> chain_; | 146 scoped_refptr<X509Certificate> chain_; |
| 142 std::string google_log_id_; | 147 std::string google_log_id_; |
| 143 std::string non_google_log_id_; | 148 std::string non_google_log_id_; |
| 144 }; | 149 }; |
| 145 | 150 |
| 146 TEST_F(CTPolicyEnforcerTest, | 151 TEST_F(CTPolicyEnforcerTest, |
| 147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 152 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 148 ct::CTVerifyResult result; | 153 ct::CTVerifyResult result; |
| 149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 154 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
| 150 | 155 |
| 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 156 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 152 chain_.get(), nullptr, result, BoundNetLog())); | 157 policy_enforcer_->DoesConformToCTEVPolicy( |
| 158 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 153 } | 159 } |
| 154 | 160 |
| 155 TEST_F(CTPolicyEnforcerTest, | 161 TEST_F(CTPolicyEnforcerTest, |
| 156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 162 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 157 ct::CTVerifyResult result; | 163 ct::CTVerifyResult result; |
| 158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 164 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
| 159 | 165 |
| 160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 166 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 161 chain_.get(), nullptr, result, BoundNetLog())); | 167 policy_enforcer_->DoesConformToCTEVPolicy( |
| 168 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 162 } | 169 } |
| 163 | 170 |
| 164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 171 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 165 ct::CTVerifyResult result; | 172 ct::CTVerifyResult result; |
| 166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 173 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
| 167 | 174 |
| 168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 175 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 169 result, BoundNetLog())); | 176 policy_enforcer_->DoesConformToCTEVPolicy( |
| 177 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 170 } | 178 } |
| 171 | 179 |
| 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 180 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 173 ct::CTVerifyResult result; | 181 ct::CTVerifyResult result; |
| 174 FillResultWithSCTsOfOrigin( | 182 FillResultWithSCTsOfOrigin( |
| 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 183 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 176 | 184 |
| 177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 178 result, BoundNetLog())); | 186 policy_enforcer_->DoesConformToCTEVPolicy( |
| 187 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 179 } | 188 } |
| 180 | 189 |
| 181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 191 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 183 ct::CTVerifyResult result; | 192 ct::CTVerifyResult result; |
| 184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 193 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 185 &result); | 194 &result); |
| 186 | 195 |
| 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 188 result, BoundNetLog())); | 197 policy_enforcer_->DoesConformToCTEVPolicy( |
| 198 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 189 } | 199 } |
| 190 | 200 |
| 191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 201 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 202 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 193 new DummyEVCertsWhitelist(true, false)); | 203 new DummyEVCertsWhitelist(true, false)); |
| 194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 204 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 195 // However, as there are only two logs, two SCTs will be required - supply one | 205 // However, as there are only two logs, two SCTs will be required - supply one |
| 196 // to guarantee the test fails. | 206 // to guarantee the test fails. |
| 197 ct::CTVerifyResult result; | 207 ct::CTVerifyResult result; |
| 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 208 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 199 &result); | 209 &result); |
| 200 | 210 |
| 201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 211 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 212 policy_enforcer_->DoesConformToCTEVPolicy( |
| 213 chain_.get(), non_including_whitelist.get(), |
| 214 result.verified_scts, BoundNetLog())); |
| 203 | 215 |
| 204 // ... but should be OK if whitelisted. | 216 // ... but should be OK if whitelisted. |
| 205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 217 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 206 new DummyEVCertsWhitelist(true, true)); | 218 new DummyEVCertsWhitelist(true, true)); |
| 207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 219 EXPECT_EQ( |
| 208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 220 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 221 policy_enforcer_->DoesConformToCTEVPolicy( |
| 222 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| 209 } | 223 } |
| 210 | 224 |
| 211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 225 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 226 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 213 "subject", "issuer", base::Time(), base::Time::Now())); | 227 "subject", "issuer", base::Time(), base::Time::Now())); |
| 214 ct::CTVerifyResult result; | 228 ct::CTVerifyResult result; |
| 215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 229 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 216 &result); | 230 &result); |
| 217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 232 policy_enforcer_->DoesConformToCTEVPolicy( |
| 233 no_valid_dates_cert.get(), nullptr, result.verified_scts, |
| 234 BoundNetLog())); |
| 219 // ... but should be OK if whitelisted. | 235 // ... but should be OK if whitelisted. |
| 220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 236 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 221 new DummyEVCertsWhitelist(true, true)); | 237 new DummyEVCertsWhitelist(true, true)); |
| 222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 238 EXPECT_EQ( |
| 223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 239 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 240 policy_enforcer_->DoesConformToCTEVPolicy( |
| 241 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| 224 } | 242 } |
| 225 | 243 |
| 226 TEST_F(CTPolicyEnforcerTest, | 244 TEST_F(CTPolicyEnforcerTest, |
| 227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 245 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 228 // Test multiple validity periods | 246 // Test multiple validity periods |
| 229 const struct TestData { | 247 const struct TestData { |
| 230 base::Time validity_start; | 248 base::Time validity_start; |
| 231 base::Time validity_end; | 249 base::Time validity_end; |
| 232 size_t scts_required; | 250 size_t scts_required; |
| 233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 251 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 267 } | 285 } |
| 268 } | 286 } |
| 269 | 287 |
| 270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 288 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 289 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 272 new DummyEVCertsWhitelist(true, true)); | 290 new DummyEVCertsWhitelist(true, true)); |
| 273 | 291 |
| 274 ct::CTVerifyResult result; | 292 ct::CTVerifyResult result; |
| 275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 293 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 276 &result); | 294 &result); |
| 277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 295 EXPECT_EQ( |
| 278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 296 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 297 policy_enforcer_->DoesConformToCTEVPolicy( |
| 298 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| 279 } | 299 } |
| 280 | 300 |
| 281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 301 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 302 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 283 new DummyEVCertsWhitelist(false, true)); | 303 new DummyEVCertsWhitelist(false, true)); |
| 284 | 304 |
| 285 ct::CTVerifyResult result; | 305 ct::CTVerifyResult result; |
| 286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 306 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 287 &result); | 307 &result); |
| 288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 308 EXPECT_EQ( |
| 289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 309 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 310 policy_enforcer_->DoesConformToCTEVPolicy( |
| 311 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| 290 } | 312 } |
| 291 | 313 |
| 292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 314 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 293 ct::CTVerifyResult result; | 315 ct::CTVerifyResult result; |
| 294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 316 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 295 &result); | 317 &result); |
| 296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 297 chain_.get(), nullptr, result, BoundNetLog())); | 319 policy_enforcer_->DoesConformToCTEVPolicy( |
| 320 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| 298 } | 321 } |
| 299 | 322 |
| 300 } // namespace | 323 } // namespace |
| 301 | 324 |
| 302 } // namespace net | 325 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master