Chromium Code Reviews Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/cert/ct_policy_enforcer_unittest.cc |
| diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc |
| index 435525293337ea7569e52ccf35e881580b1123b1..26f2a25a0fc2f3421472bd6b535f51d2ffc4d7d4 100644 |
| --- a/net/cert/ct_policy_enforcer_unittest.cc |
| +++ b/net/cert/ct_policy_enforcer_unittest.cc |
| @@ -65,6 +65,8 @@ class CTPolicyEnforcerTest : public ::testing::Test { |
| non_google_log_id_.assign(crypto::kSHA256Length, 'A'); |
| } |
| + // TODO(eranm): remove the use of CTVerifyResult in this file and just |
| + // use lists of verified SCTs. |
|
Ryan Sleevi
2016/02/18 06:46:51
comment nit: s/remove/Remove/ (proper sentence)
co
estark
2016/02/18 19:24:31
Done.
|
| void FillResultWithSCTsOfOrigin( |
| ct::SignedCertificateTimestamp::Origin desired_origin, |
| size_t num_scts, |
| @@ -123,15 +125,17 @@ class CTPolicyEnforcerTest : public ::testing::Test { |
| for (size_t i = 0; i < required_scts - 1; ++i) { |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 1, std::vector<std::string>(), false, &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - cert.get(), nullptr, result, BoundNetLog())) |
| + EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
| << " for: " << (end - start).InDays() << " and " << required_scts |
| << " scts=" << result.verified_scts.size() << " i=" << i; |
| } |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| std::vector<std::string>(), false, &result); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - cert.get(), nullptr, result, BoundNetLog())) |
| + EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + cert.get(), nullptr, result.verified_scts, BoundNetLog())) |
| << " for: " << (end - start).InDays() << " and " << required_scts |
| << " scts=" << result.verified_scts.size(); |
| } |
| @@ -148,8 +152,9 @@ TEST_F(CTPolicyEnforcerTest, |
| ct::CTVerifyResult result; |
| FillResultWithRepeatedLogID(google_log_id_, 2, true, &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), nullptr, result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, |
| @@ -157,16 +162,18 @@ TEST_F(CTPolicyEnforcerTest, |
| ct::CTVerifyResult result; |
| FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), nullptr, result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_NOT_DIVERSE_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| ct::CTVerifyResult result; |
| FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| - result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| @@ -174,8 +181,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| FillResultWithSCTsOfOrigin( |
| ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| - result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| @@ -184,8 +192,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| &result); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| - result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_COMPLIES_VIA_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| @@ -198,14 +207,18 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), non_including_whitelist.get(), |
| + result.verified_scts, BoundNetLog())); |
| // ... but should be OK if whitelisted. |
| scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| new DummyEVCertsWhitelist(true, true)); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), whitelist.get(), result, BoundNetLog())); |
| + EXPECT_EQ( |
| + ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| @@ -214,13 +227,17 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| ct::CTVerifyResult result; |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + no_valid_dates_cert.get(), nullptr, result.verified_scts, |
| + BoundNetLog())); |
| // ... but should be OK if whitelisted. |
| scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| new DummyEVCertsWhitelist(true, true)); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), whitelist.get(), result, BoundNetLog())); |
| + EXPECT_EQ( |
| + ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, |
| @@ -274,8 +291,10 @@ TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| ct::CTVerifyResult result; |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| &result); |
| - EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), whitelist.get(), result, BoundNetLog())); |
| + EXPECT_EQ( |
| + ct::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| @@ -285,16 +304,19 @@ TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| ct::CTVerifyResult result; |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), whitelist.get(), result, BoundNetLog())); |
| + EXPECT_EQ( |
| + ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), whitelist.get(), result.verified_scts, BoundNetLog())); |
| } |
| TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| ct::CTVerifyResult result; |
| FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| &result); |
| - EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| - chain_.get(), nullptr, result, BoundNetLog())); |
| + EXPECT_EQ(ct::EV_POLICY_NOT_ENOUGH_SCTS, |
| + policy_enforcer_->DoesConformToCTEVPolicy( |
| + chain_.get(), nullptr, result.verified_scts, BoundNetLog())); |
| } |
| } // namespace |
