OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
116 const base::Time& start, | 116 const base::Time& start, |
117 const base::Time& end, | 117 const base::Time& end, |
118 size_t required_scts) { | 118 size_t required_scts) { |
119 scoped_refptr<X509Certificate> cert( | 119 scoped_refptr<X509Certificate> cert( |
120 new X509Certificate("subject", "issuer", start, end)); | 120 new X509Certificate("subject", "issuer", start, end)); |
121 ct::CTVerifyResult result; | 121 ct::CTVerifyResult result; |
122 | 122 |
123 for (size_t i = 0; i < required_scts - 1; ++i) { | 123 for (size_t i = 0; i < required_scts - 1; ++i) { |
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
125 1, std::vector<std::string>(), false, &result); | 125 1, std::vector<std::string>(), false, &result); |
126 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 126 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS, |
127 cert.get(), nullptr, result, BoundNetLog())) | 127 policy_enforcer_->DoesConformToCTEVPolicy( |
128 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
128 << " for: " << (end - start).InDays() << " and " << required_scts | 129 << " for: " << (end - start).InDays() << " and " << required_scts |
129 << " scts=" << result.verified_scts.size() << " i=" << i; | 130 << " scts=" << result.verified_scts.size() << " i=" << i; |
130 } | 131 } |
131 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 132 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
132 std::vector<std::string>(), false, &result); | 133 std::vector<std::string>(), false, &result); |
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 134 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS, |
134 cert.get(), nullptr, result, BoundNetLog())) | 135 policy_enforcer_->DoesConformToCTEVPolicy( |
136 cert.get(), nullptr, result.verified_scts, BoundNetLog())) | |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 137 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << result.verified_scts.size(); | 138 << " scts=" << result.verified_scts.size(); |
137 } | 139 } |
138 | 140 |
139 protected: | 141 protected: |
140 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; | 142 scoped_ptr<CTPolicyEnforcer> policy_enforcer_; |
141 scoped_refptr<X509Certificate> chain_; | 143 scoped_refptr<X509Certificate> chain_; |
142 std::string google_log_id_; | 144 std::string google_log_id_; |
143 std::string non_google_log_id_; | 145 std::string non_google_log_id_; |
144 }; | 146 }; |
145 | 147 |
146 TEST_F(CTPolicyEnforcerTest, | 148 TEST_F(CTPolicyEnforcerTest, |
147 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 149 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
148 ct::CTVerifyResult result; | 150 ct::CTVerifyResult result; |
149 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); | 151 FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
Eran Messeri
2016/02/10 17:41:09
Nit: Seems like we can completely get rid of refer
estark
2016/02/11 01:54:21
Done.
| |
150 | 152 |
151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 153 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_DIVERSE_SCTS, |
152 chain_.get(), nullptr, result, BoundNetLog())); | 154 policy_enforcer_->DoesConformToCTEVPolicy( |
155 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
153 } | 156 } |
154 | 157 |
155 TEST_F(CTPolicyEnforcerTest, | 158 TEST_F(CTPolicyEnforcerTest, |
156 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 159 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
157 ct::CTVerifyResult result; | 160 ct::CTVerifyResult result; |
158 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); | 161 FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
159 | 162 |
160 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 163 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_DIVERSE_SCTS, |
161 chain_.get(), nullptr, result, BoundNetLog())); | 164 policy_enforcer_->DoesConformToCTEVPolicy( |
165 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
162 } | 166 } |
163 | 167 |
164 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 168 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
165 ct::CTVerifyResult result; | 169 ct::CTVerifyResult result; |
166 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); | 170 FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
167 | 171 |
168 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 172 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS, |
169 result, BoundNetLog())); | 173 policy_enforcer_->DoesConformToCTEVPolicy( |
174 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
170 } | 175 } |
171 | 176 |
172 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 177 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
173 ct::CTVerifyResult result; | 178 ct::CTVerifyResult result; |
174 FillResultWithSCTsOfOrigin( | 179 FillResultWithSCTsOfOrigin( |
175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 180 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
176 | 181 |
177 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 182 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS, |
178 result, BoundNetLog())); | 183 policy_enforcer_->DoesConformToCTEVPolicy( |
184 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
179 } | 185 } |
180 | 186 |
181 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 187 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
182 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 188 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
183 ct::CTVerifyResult result; | 189 ct::CTVerifyResult result; |
184 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 190 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
185 &result); | 191 &result); |
186 | 192 |
187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 193 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS, |
188 result, BoundNetLog())); | 194 policy_enforcer_->DoesConformToCTEVPolicy( |
195 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
189 } | 196 } |
190 | 197 |
191 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 198 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
192 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 199 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
193 new DummyEVCertsWhitelist(true, false)); | 200 new DummyEVCertsWhitelist(true, false)); |
194 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 201 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
195 // However, as there are only two logs, two SCTs will be required - supply one | 202 // However, as there are only two logs, two SCTs will be required - supply one |
196 // to guarantee the test fails. | 203 // to guarantee the test fails. |
197 ct::CTVerifyResult result; | 204 ct::CTVerifyResult result; |
198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 205 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
199 &result); | 206 &result); |
200 | 207 |
201 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 208 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS, |
202 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); | 209 policy_enforcer_->DoesConformToCTEVPolicy( |
210 chain_.get(), non_including_whitelist.get(), | |
211 result.verified_scts, BoundNetLog())); | |
203 | 212 |
204 // ... but should be OK if whitelisted. | 213 // ... but should be OK if whitelisted. |
205 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 214 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
206 new DummyEVCertsWhitelist(true, true)); | 215 new DummyEVCertsWhitelist(true, true)); |
207 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 216 EXPECT_EQ( |
208 chain_.get(), whitelist.get(), result, BoundNetLog())); | 217 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST, |
218 policy_enforcer_->DoesConformToCTEVPolicy( | |
219 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
209 } | 220 } |
210 | 221 |
211 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 222 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
212 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 223 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
213 "subject", "issuer", base::Time(), base::Time::Now())); | 224 "subject", "issuer", base::Time(), base::Time::Now())); |
214 ct::CTVerifyResult result; | 225 ct::CTVerifyResult result; |
215 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 226 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
216 &result); | 227 &result); |
217 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 228 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS, |
218 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); | 229 policy_enforcer_->DoesConformToCTEVPolicy( |
230 no_valid_dates_cert.get(), nullptr, result.verified_scts, | |
231 BoundNetLog())); | |
219 // ... but should be OK if whitelisted. | 232 // ... but should be OK if whitelisted. |
220 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 233 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
221 new DummyEVCertsWhitelist(true, true)); | 234 new DummyEVCertsWhitelist(true, true)); |
222 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 235 EXPECT_EQ( |
223 chain_.get(), whitelist.get(), result, BoundNetLog())); | 236 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST, |
237 policy_enforcer_->DoesConformToCTEVPolicy( | |
238 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
224 } | 239 } |
225 | 240 |
226 TEST_F(CTPolicyEnforcerTest, | 241 TEST_F(CTPolicyEnforcerTest, |
227 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 242 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
228 // Test multiple validity periods | 243 // Test multiple validity periods |
229 const struct TestData { | 244 const struct TestData { |
230 base::Time validity_start; | 245 base::Time validity_start; |
231 base::Time validity_end; | 246 base::Time validity_end; |
232 size_t scts_required; | 247 size_t scts_required; |
233 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. | 248 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
267 } | 282 } |
268 } | 283 } |
269 | 284 |
270 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 285 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
271 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 286 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
272 new DummyEVCertsWhitelist(true, true)); | 287 new DummyEVCertsWhitelist(true, true)); |
273 | 288 |
274 ct::CTVerifyResult result; | 289 ct::CTVerifyResult result; |
275 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 290 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
276 &result); | 291 &result); |
277 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 292 EXPECT_EQ( |
278 chain_.get(), whitelist.get(), result, BoundNetLog())); | 293 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST, |
294 policy_enforcer_->DoesConformToCTEVPolicy( | |
295 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
279 } | 296 } |
280 | 297 |
281 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 298 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
282 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 299 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
283 new DummyEVCertsWhitelist(false, true)); | 300 new DummyEVCertsWhitelist(false, true)); |
284 | 301 |
285 ct::CTVerifyResult result; | 302 ct::CTVerifyResult result; |
286 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 303 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
287 &result); | 304 &result); |
288 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 305 EXPECT_EQ( |
289 chain_.get(), whitelist.get(), result, BoundNetLog())); | 306 CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS, |
307 policy_enforcer_->DoesConformToCTEVPolicy( | |
308 chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); | |
290 } | 309 } |
291 | 310 |
292 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 311 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
293 ct::CTVerifyResult result; | 312 ct::CTVerifyResult result; |
294 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 313 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
295 &result); | 314 &result); |
296 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 315 EXPECT_EQ(CTPolicyEnforcer::EV_POLICY_NOT_ENOUGH_SCTS, |
297 chain_.get(), nullptr, result, BoundNetLog())); | 316 policy_enforcer_->DoesConformToCTEVPolicy( |
317 chain_.get(), nullptr, result.verified_scts, BoundNetLog())); | |
298 } | 318 } |
299 | 319 |
300 } // namespace | 320 } // namespace |
301 | 321 |
302 } // namespace net | 322 } // namespace net |
OLD | NEW |