Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(184)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1652603002: Add information to SSLInfo about CT EV policy compliance (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: SSLClientSOcket nss fix Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | net/cert/ct_verify_result.h » ('j') | net/cert/ct_verify_result.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/ct_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/memory/scoped_ptr.h" 9 #include "base/memory/scoped_ptr.h"
10 #include "base/time/time.h" 10 #include "base/time/time.h"
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after
116 const base::Time& start, 116 const base::Time& start,
117 const base::Time& end, 117 const base::Time& end,
118 size_t required_scts) { 118 size_t required_scts) {
119 scoped_refptr<X509Certificate> cert( 119 scoped_refptr<X509Certificate> cert(
120 new X509Certificate("subject", "issuer", start, end)); 120 new X509Certificate("subject", "issuer", start, end));
121 ct::CTVerifyResult result; 121 ct::CTVerifyResult result;
122 122
123 for (size_t i = 0; i < required_scts - 1; ++i) { 123 for (size_t i = 0; i < required_scts - 1; ++i) {
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
125 1, std::vector<std::string>(), false, &result); 125 1, std::vector<std::string>(), false, &result);
126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 126 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS,
127 cert.get(), nullptr, result, BoundNetLog())) 127 policy_enforcer_->DoesConformToCTEVPolicy(
128 cert.get(), nullptr, result.verified_scts, BoundNetLog()))
128 << " for: " << (end - start).InDays() << " and " << required_scts 129 << " for: " << (end - start).InDays() << " and " << required_scts
129 << " scts=" << result.verified_scts.size() << " i=" << i; 130 << " scts=" << result.verified_scts.size() << " i=" << i;
130 } 131 }
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 132 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
132 std::vector<std::string>(), false, &result); 133 std::vector<std::string>(), false, &result);
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 134 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS,
134 cert.get(), nullptr, result, BoundNetLog())) 135 policy_enforcer_->DoesConformToCTEVPolicy(
136 cert.get(), nullptr, result.verified_scts, BoundNetLog()))
135 << " for: " << (end - start).InDays() << " and " << required_scts 137 << " for: " << (end - start).InDays() << " and " << required_scts
136 << " scts=" << result.verified_scts.size(); 138 << " scts=" << result.verified_scts.size();
137 } 139 }
138 140
139 protected: 141 protected:
140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; 142 scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
141 scoped_refptr<X509Certificate> chain_; 143 scoped_refptr<X509Certificate> chain_;
142 std::string google_log_id_; 144 std::string google_log_id_;
143 std::string non_google_log_id_; 145 std::string non_google_log_id_;
144 }; 146 };
145 147
146 TEST_F(CTPolicyEnforcerTest, 148 TEST_F(CTPolicyEnforcerTest,
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { 149 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
148 ct::CTVerifyResult result; 150 ct::CTVerifyResult result;
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); 151 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
Eran Messeri 2016/02/10 17:41:09 Nit: Seems like we can completely get rid of refer
estark 2016/02/11 01:54:21 Done.
150 152
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 153 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_DIVERSE_SCTS,
152 chain_.get(), nullptr, result, BoundNetLog())); 154 policy_enforcer_->DoesConformToCTEVPolicy(
155 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
153 } 156 }
154 157
155 TEST_F(CTPolicyEnforcerTest, 158 TEST_F(CTPolicyEnforcerTest,
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { 159 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
157 ct::CTVerifyResult result; 160 ct::CTVerifyResult result;
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); 161 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
159 162
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 163 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_DIVERSE_SCTS,
161 chain_.get(), nullptr, result, BoundNetLog())); 164 policy_enforcer_->DoesConformToCTEVPolicy(
165 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
162 } 166 }
163 167
164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { 168 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
165 ct::CTVerifyResult result; 169 ct::CTVerifyResult result;
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); 170 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
167 171
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 172 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS,
169 result, BoundNetLog())); 173 policy_enforcer_->DoesConformToCTEVPolicy(
174 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
170 } 175 }
171 176
172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { 177 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
173 ct::CTVerifyResult result; 178 ct::CTVerifyResult result;
174 FillResultWithSCTsOfOrigin( 179 FillResultWithSCTsOfOrigin(
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); 180 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
176 181
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 182 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS,
178 result, BoundNetLog())); 183 policy_enforcer_->DoesConformToCTEVPolicy(
184 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
179 } 185 }
180 186
181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { 187 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 188 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
183 ct::CTVerifyResult result; 189 ct::CTVerifyResult result;
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 190 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
185 &result); 191 &result);
186 192
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 193 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS,
188 result, BoundNetLog())); 194 policy_enforcer_->DoesConformToCTEVPolicy(
195 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
189 } 196 }
190 197
191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { 198 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( 199 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
193 new DummyEVCertsWhitelist(true, false)); 200 new DummyEVCertsWhitelist(true, false));
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. 201 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
195 // However, as there are only two logs, two SCTs will be required - supply one 202 // However, as there are only two logs, two SCTs will be required - supply one
196 // to guarantee the test fails. 203 // to guarantee the test fails.
197 ct::CTVerifyResult result; 204 ct::CTVerifyResult result;
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 205 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
199 &result); 206 &result);
200 207
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 208 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS,
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); 209 policy_enforcer_->DoesConformToCTEVPolicy(
210 chain_.get(), non_including_whitelist.get(),
211 result.verified_scts, BoundNetLog()));
203 212
204 // ... but should be OK if whitelisted. 213 // ... but should be OK if whitelisted.
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( 214 scoped_refptr<ct::EVCertsWhitelist> whitelist(
206 new DummyEVCertsWhitelist(true, true)); 215 new DummyEVCertsWhitelist(true, true));
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 216 EXPECT_EQ(
208 chain_.get(), whitelist.get(), result, BoundNetLog())); 217 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST,
218 policy_enforcer_->DoesConformToCTEVPolicy(
219 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
209 } 220 }
210 221
211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { 222 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( 223 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
213 "subject", "issuer", base::Time(), base::Time::Now())); 224 "subject", "issuer", base::Time(), base::Time::Now()));
214 ct::CTVerifyResult result; 225 ct::CTVerifyResult result;
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 226 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
216 &result); 227 &result);
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 228 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS,
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); 229 policy_enforcer_->DoesConformToCTEVPolicy(
230 no_valid_dates_cert.get(), nullptr, result.verified_scts,
231 BoundNetLog()));
219 // ... but should be OK if whitelisted. 232 // ... but should be OK if whitelisted.
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( 233 scoped_refptr<ct::EVCertsWhitelist> whitelist(
221 new DummyEVCertsWhitelist(true, true)); 234 new DummyEVCertsWhitelist(true, true));
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 235 EXPECT_EQ(
223 chain_.get(), whitelist.get(), result, BoundNetLog())); 236 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST,
237 policy_enforcer_->DoesConformToCTEVPolicy(
238 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
224 } 239 }
225 240
226 TEST_F(CTPolicyEnforcerTest, 241 TEST_F(CTPolicyEnforcerTest,
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { 242 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
228 // Test multiple validity periods 243 // Test multiple validity periods
229 const struct TestData { 244 const struct TestData {
230 base::Time validity_start; 245 base::Time validity_start;
231 base::Time validity_end; 246 base::Time validity_end;
232 size_t scts_required; 247 size_t scts_required;
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. 248 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
267 } 282 }
268 } 283 }
269 284
270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { 285 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( 286 scoped_refptr<ct::EVCertsWhitelist> whitelist(
272 new DummyEVCertsWhitelist(true, true)); 287 new DummyEVCertsWhitelist(true, true));
273 288
274 ct::CTVerifyResult result; 289 ct::CTVerifyResult result;
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 290 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
276 &result); 291 &result);
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( 292 EXPECT_EQ(
278 chain_.get(), whitelist.get(), result, BoundNetLog())); 293 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST,
294 policy_enforcer_->DoesConformToCTEVPolicy(
295 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
279 } 296 }
280 297
281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { 298 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( 299 scoped_refptr<ct::EVCertsWhitelist> whitelist(
283 new DummyEVCertsWhitelist(false, true)); 300 new DummyEVCertsWhitelist(false, true));
284 301
285 ct::CTVerifyResult result; 302 ct::CTVerifyResult result;
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 303 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
287 &result); 304 &result);
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 305 EXPECT_EQ(
289 chain_.get(), whitelist.get(), result, BoundNetLog())); 306 CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS,
307 policy_enforcer_->DoesConformToCTEVPolicy(
308 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog()));
290 } 309 }
291 310
292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { 311 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
293 ct::CTVerifyResult result; 312 ct::CTVerifyResult result;
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, 313 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
295 &result); 314 &result);
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( 315 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS,
297 chain_.get(), nullptr, result, BoundNetLog())); 316 policy_enforcer_->DoesConformToCTEVPolicy(
317 chain_.get(), nullptr, result.verified_scts, BoundNetLog()));
298 } 318 }
299 319
300 } // namespace 320 } // namespace
301 321
302 } // namespace net 322 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | net/cert/ct_verify_result.h » ('j') | net/cert/ct_verify_result.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698