OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
56 class CTPolicyEnforcerTest : public ::testing::Test { | 56 class CTPolicyEnforcerTest : public ::testing::Test { |
57 public: | 57 public: |
58 void SetUp() override { | 58 void SetUp() override { |
59 policy_enforcer_.reset(new CTPolicyEnforcer); | 59 policy_enforcer_.reset(new CTPolicyEnforcer); |
60 | 60 |
61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
63 der_test_cert.size()); | 63 der_test_cert.size()); |
64 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
66 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 66 non_google_log_id_.assign(crypto::kSHA256Length, 1); |
67 } | 67 } |
68 | 68 |
69 void FillListWithSCTsOfOrigin( | 69 void FillListWithSCTsOfOrigin( |
70 ct::SignedCertificateTimestamp::Origin desired_origin, | 70 ct::SignedCertificateTimestamp::Origin desired_origin, |
71 size_t num_scts, | 71 size_t num_scts, |
72 const std::vector<std::string>& desired_log_keys, | 72 const std::vector<std::string>& desired_log_keys, |
73 bool timestamp_past_enforcement_date, | 73 bool timestamp_past_enforcement_date, |
74 ct::SCTList* verified_scts) { | 74 ct::SCTList* verified_scts) { |
75 for (size_t i = 0; i < num_scts; ++i) { | 75 for (size_t i = 0; i < num_scts; ++i) { |
76 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 76 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
77 new ct::SignedCertificateTimestamp()); | 77 new ct::SignedCertificateTimestamp()); |
78 sct->origin = desired_origin; | 78 sct->origin = desired_origin; |
79 if (i < desired_log_keys.size()) | 79 if (i < desired_log_keys.size()) |
80 sct->log_id = desired_log_keys[i]; | 80 sct->log_id = desired_log_keys[i]; |
81 else | 81 else |
82 sct->log_id = non_google_log_id_; | 82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i)); |
83 | 83 |
84 if (timestamp_past_enforcement_date) | 84 if (timestamp_past_enforcement_date) |
85 sct->timestamp = | 85 sct->timestamp = |
86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); | 86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); |
87 else | 87 else |
88 sct->timestamp = | 88 sct->timestamp = |
89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); | 89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); |
90 | 90 |
91 verified_scts->push_back(sct); | 91 verified_scts->push_back(sct); |
92 } | 92 } |
93 } | 93 } |
94 | 94 |
95 void FillListWithSCTsOfOrigin( | 95 void FillListWithSCTsOfOrigin( |
96 ct::SignedCertificateTimestamp::Origin desired_origin, | 96 ct::SignedCertificateTimestamp::Origin desired_origin, |
97 size_t num_scts, | 97 size_t num_scts, |
98 ct::SCTList* verified_scts) { | 98 ct::SCTList* verified_scts) { |
99 std::vector<std::string> desired_log_ids; | 99 std::vector<std::string> desired_log_ids; |
100 desired_log_ids.push_back(google_log_id_); | 100 desired_log_ids.push_back(google_log_id_); |
101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, | 101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, |
102 verified_scts); | 102 verified_scts); |
103 } | 103 } |
104 | 104 |
105 void FillSCTListWithRepeatedLogID(const std::string& desired_id, | |
106 size_t num_scts, | |
107 bool timestamp_past_enforcement_date, | |
108 ct::SCTList* verified_scts) { | |
109 std::vector<std::string> desired_log_ids(num_scts, desired_id); | |
110 | |
111 FillListWithSCTsOfOrigin( | |
112 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts, | |
113 desired_log_ids, timestamp_past_enforcement_date, verified_scts); | |
114 } | |
115 | |
116 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | 105 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
117 const base::Time& start, | 106 const base::Time& start, |
118 const base::Time& end, | 107 const base::Time& end, |
119 size_t required_scts) { | 108 size_t required_scts) { |
120 scoped_refptr<X509Certificate> cert( | 109 scoped_refptr<X509Certificate> cert( |
121 new X509Certificate("subject", "issuer", start, end)); | 110 new X509Certificate("subject", "issuer", start, end)); |
122 ct::SCTList scts; | |
123 | |
124 for (size_t i = 0; i < required_scts - 1; ++i) { | 111 for (size_t i = 0; i < required_scts - 1; ++i) { |
125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 112 ct::SCTList scts; |
| 113 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, |
126 std::vector<std::string>(), false, &scts); | 114 std::vector<std::string>(), false, &scts); |
127 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 115 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
128 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 116 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
129 BoundNetLog())) | 117 BoundNetLog())) |
130 << " for: " << (end - start).InDays() << " and " << required_scts | 118 << " for: " << (end - start).InDays() << " and " << required_scts |
131 << " scts=" << scts.size() << " i=" << i; | 119 << " scts=" << scts.size() << " i=" << i; |
132 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 120 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
133 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 121 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
134 scts, BoundNetLog())) | 122 scts, BoundNetLog())) |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 123 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << scts.size() << " i=" << i; | 124 << " scts=" << scts.size() << " i=" << i; |
137 } | 125 } |
138 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 126 ct::SCTList scts; |
139 std::vector<std::string>(), false, &scts); | 127 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 128 required_scts, std::vector<std::string>(), false, |
| 129 &scts); |
140 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 130 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
141 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 131 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
142 BoundNetLog())) | 132 BoundNetLog())) |
143 << " for: " << (end - start).InDays() << " and " << required_scts | 133 << " for: " << (end - start).InDays() << " and " << required_scts |
144 << " scts=" << scts.size(); | 134 << " scts=" << scts.size(); |
145 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 135 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
146 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 136 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
147 scts, BoundNetLog())) | 137 scts, BoundNetLog())) |
148 << " for: " << (end - start).InDays() << " and " << required_scts | 138 << " for: " << (end - start).InDays() << " and " << required_scts |
149 << " scts=" << scts.size(); | 139 << " scts=" << scts.size(); |
150 } | 140 } |
151 | 141 |
152 protected: | 142 protected: |
153 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; | 143 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; |
154 scoped_refptr<X509Certificate> chain_; | 144 scoped_refptr<X509Certificate> chain_; |
155 std::string google_log_id_; | 145 std::string google_log_id_; |
156 std::string non_google_log_id_; | 146 std::string non_google_log_id_; |
157 }; | 147 }; |
158 | 148 |
159 TEST_F(CTPolicyEnforcerTest, | 149 TEST_F(CTPolicyEnforcerTest, |
160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 150 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
161 ct::SCTList scts; | 151 ct::SCTList scts; |
162 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); | 152 std::vector<std::string> desired_log_ids(2, google_log_id_); |
| 153 |
| 154 FillListWithSCTsOfOrigin( |
| 155 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 156 desired_log_ids.size(), desired_log_ids, true, &scts); |
163 | 157 |
164 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 158 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
165 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 159 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
166 BoundNetLog())); | 160 BoundNetLog())); |
167 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 161 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
168 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 162 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
169 scts, BoundNetLog())); | 163 scts, BoundNetLog())); |
170 } | 164 } |
171 | 165 |
172 TEST_F(CTPolicyEnforcerTest, | 166 TEST_F(CTPolicyEnforcerTest, |
173 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 167 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
174 ct::SCTList scts; | 168 ct::SCTList scts; |
175 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); | 169 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
| 170 |
| 171 FillListWithSCTsOfOrigin( |
| 172 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 173 desired_log_ids.size(), desired_log_ids, true, &scts); |
176 | 174 |
177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 175 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 176 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
179 BoundNetLog())); | 177 BoundNetLog())); |
180 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 178 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
181 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 179 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
182 scts, BoundNetLog())); | 180 scts, BoundNetLog())); |
183 } | 181 } |
184 | 182 |
185 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 183 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
186 ct::SCTList scts; | 184 ct::SCTList scts; |
187 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); | 185 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 186 // All 5 SCTs will be from non-Google logs. |
| 187 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 188 std::vector<std::string>(), false, &scts); |
188 | 189 |
189 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 190 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
190 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 191 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
191 BoundNetLog())); | 192 BoundNetLog())); |
192 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 193 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
193 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 194 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
194 scts, BoundNetLog())); | 195 scts, BoundNetLog())); |
195 } | 196 } |
196 | 197 |
197 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 198 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
(...skipping 16 matching lines...) Expand all Loading... |
214 &scts); | 215 &scts); |
215 | 216 |
216 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 217 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
217 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 218 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
218 BoundNetLog())); | 219 BoundNetLog())); |
219 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 220 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
220 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 221 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
221 scts, BoundNetLog())); | 222 scts, BoundNetLog())); |
222 } | 223 } |
223 | 224 |
| 225 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { |
| 226 ct::SCTList scts; |
| 227 std::vector<std::string> desired_logs; |
| 228 |
| 229 // One Google log, delivered via OCSP. |
| 230 desired_logs.clear(); |
| 231 desired_logs.push_back(google_log_id_); |
| 232 FillListWithSCTsOfOrigin( |
| 233 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 234 desired_logs.size(), desired_logs, true, &scts); |
| 235 |
| 236 // One non-Google log, delivered via TLS. |
| 237 desired_logs.clear(); |
| 238 desired_logs.push_back(non_google_log_id_); |
| 239 FillListWithSCTsOfOrigin( |
| 240 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 241 desired_logs.size(), desired_logs, true, &scts); |
| 242 |
| 243 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 244 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 245 BoundNetLog())); |
| 246 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 247 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 248 scts, BoundNetLog())); |
| 249 } |
| 250 |
| 251 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { |
| 252 ct::SCTList scts; |
| 253 std::vector<std::string> desired_logs; |
| 254 |
| 255 // One Google log, delivered embedded. |
| 256 desired_logs.clear(); |
| 257 desired_logs.push_back(google_log_id_); |
| 258 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 259 desired_logs.size(), desired_logs, true, &scts); |
| 260 |
| 261 // One non-Google log, delivered via OCSP. |
| 262 desired_logs.clear(); |
| 263 desired_logs.push_back(non_google_log_id_); |
| 264 FillListWithSCTsOfOrigin( |
| 265 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 266 desired_logs.size(), desired_logs, true, &scts); |
| 267 |
| 268 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 269 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 270 BoundNetLog())); |
| 271 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 272 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 273 scts, BoundNetLog())); |
| 274 } |
| 275 |
224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 276 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
225 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 277 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
226 new DummyEVCertsWhitelist(true, false)); | 278 new DummyEVCertsWhitelist(true, false)); |
227 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 279 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
228 // However, as there are only two logs, two SCTs will be required - supply one | |
229 // to guarantee the test fails. | |
230 ct::SCTList scts; | 280 ct::SCTList scts; |
231 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 281 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
232 &scts); | 282 &scts); |
233 | 283 |
234 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 284 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
235 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 285 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
236 BoundNetLog())); | 286 BoundNetLog())); |
237 EXPECT_EQ( | 287 EXPECT_EQ( |
238 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 288 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
239 policy_enforcer_->DoesConformToCTEVPolicy( | 289 policy_enforcer_->DoesConformToCTEVPolicy( |
240 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 290 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
241 | 291 |
242 // ... but should be OK if whitelisted. | 292 // ... but should be OK if whitelisted. |
243 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 293 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
244 new DummyEVCertsWhitelist(true, true)); | 294 new DummyEVCertsWhitelist(true, true)); |
245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 295 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
246 policy_enforcer_->DoesConformToCTEVPolicy( | 296 policy_enforcer_->DoesConformToCTEVPolicy( |
247 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 297 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
248 } | 298 } |
249 | 299 |
| 300 TEST_F(CTPolicyEnforcerTest, |
| 301 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { |
| 302 ct::SCTList scts; |
| 303 std::vector<std::string> desired_logs; |
| 304 |
| 305 // One Google Log. |
| 306 desired_logs.clear(); |
| 307 desired_logs.push_back(google_log_id_); |
| 308 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 309 desired_logs.size(), desired_logs, true, &scts); |
| 310 |
| 311 // Two distinct non-Google logs. |
| 312 desired_logs.clear(); |
| 313 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); |
| 314 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); |
| 315 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 316 desired_logs.size(), desired_logs, true, &scts); |
| 317 |
| 318 // Two unique SCTs from the same non-Google log. |
| 319 desired_logs.clear(); |
| 320 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 321 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 322 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 323 desired_logs.size(), desired_logs, true, &scts); |
| 324 |
| 325 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 326 // However, there are only 4 SCTs are from distinct logs. |
| 327 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 328 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 329 BoundNetLog())); |
| 330 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 331 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 332 scts, BoundNetLog())); |
| 333 } |
| 334 |
250 // TODO(estark): fix this test so that it can check if | 335 // TODO(estark): fix this test so that it can check if |
251 // |no_valid_dates_cert| is on the whitelist without | 336 // |no_valid_dates_cert| is on the whitelist without |
252 // crashing. https://crbug.com/582740 | 337 // crashing. https://crbug.com/582740 |
253 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { | 338 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
254 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 339 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
255 "subject", "issuer", base::Time(), base::Time::Now())); | 340 "subject", "issuer", base::Time(), base::Time::Now())); |
256 ct::SCTList scts; | 341 ct::SCTList scts; |
257 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 342 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
258 &scts); | 343 &scts); |
259 ASSERT_TRUE(no_valid_dates_cert); | 344 ASSERT_TRUE(no_valid_dates_cert); |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
314 kTestData[i].validity_start, kTestData[i].validity_end, | 399 kTestData[i].validity_start, kTestData[i].validity_end, |
315 kTestData[i].scts_required); | 400 kTestData[i].scts_required); |
316 } | 401 } |
317 } | 402 } |
318 | 403 |
319 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 404 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
320 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 405 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
321 new DummyEVCertsWhitelist(true, true)); | 406 new DummyEVCertsWhitelist(true, true)); |
322 | 407 |
323 ct::SCTList scts; | 408 ct::SCTList scts; |
324 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 409 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
325 &scts); | 410 &scts); |
326 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 411 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
327 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 412 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
328 BoundNetLog())); | 413 BoundNetLog())); |
329 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 414 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
330 policy_enforcer_->DoesConformToCTEVPolicy( | 415 policy_enforcer_->DoesConformToCTEVPolicy( |
331 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 416 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
332 } | 417 } |
333 | 418 |
334 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 419 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
335 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 420 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
336 new DummyEVCertsWhitelist(false, true)); | 421 new DummyEVCertsWhitelist(false, true)); |
337 | 422 |
338 ct::SCTList scts; | 423 ct::SCTList scts; |
339 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 424 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
340 &scts); | 425 &scts); |
341 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 426 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
342 policy_enforcer_->DoesConformToCTEVPolicy( | 427 policy_enforcer_->DoesConformToCTEVPolicy( |
343 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 428 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
344 } | 429 } |
345 | 430 |
346 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 431 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
347 ct::SCTList scts; | 432 ct::SCTList scts; |
348 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 433 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
349 &scts); | 434 &scts); |
350 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 435 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
351 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 436 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
352 scts, BoundNetLog())); | 437 scts, BoundNetLog())); |
353 } | 438 } |
354 | 439 |
355 } // namespace | 440 } // namespace |
356 | 441 |
357 } // namespace net | 442 } // namespace net |
OLD | NEW |