OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
56 class CTPolicyEnforcerTest : public ::testing::Test { | 56 class CTPolicyEnforcerTest : public ::testing::Test { |
57 public: | 57 public: |
58 void SetUp() override { | 58 void SetUp() override { |
59 policy_enforcer_.reset(new CTPolicyEnforcer); | 59 policy_enforcer_.reset(new CTPolicyEnforcer); |
60 | 60 |
61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
63 der_test_cert.size()); | 63 der_test_cert.size()); |
64 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
66 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 66 non_google_log_id_.assign(crypto::kSHA256Length, 1); |
67 } | 67 } |
68 | 68 |
69 void FillListWithSCTsOfOrigin( | 69 void FillListWithSCTsOfOrigin( |
70 ct::SignedCertificateTimestamp::Origin desired_origin, | 70 ct::SignedCertificateTimestamp::Origin desired_origin, |
71 size_t num_scts, | 71 size_t num_scts, |
72 const std::vector<std::string>& desired_log_keys, | 72 const std::vector<std::string>& desired_log_keys, |
73 bool timestamp_past_enforcement_date, | 73 bool timestamp_past_enforcement_date, |
74 ct::SCTList* verified_scts) { | 74 ct::SCTList* verified_scts) { |
75 for (size_t i = 0; i < num_scts; ++i) { | 75 for (size_t i = 0; i < num_scts; ++i) { |
76 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 76 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
77 new ct::SignedCertificateTimestamp()); | 77 new ct::SignedCertificateTimestamp()); |
78 sct->origin = desired_origin; | 78 sct->origin = desired_origin; |
79 if (i < desired_log_keys.size()) | 79 if (i < desired_log_keys.size()) |
80 sct->log_id = desired_log_keys[i]; | 80 sct->log_id = desired_log_keys[i]; |
81 else | 81 else |
82 sct->log_id = non_google_log_id_; | 82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i)); |
83 | 83 |
84 if (timestamp_past_enforcement_date) | 84 if (timestamp_past_enforcement_date) |
85 sct->timestamp = | 85 sct->timestamp = |
86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); | 86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); |
87 else | 87 else |
88 sct->timestamp = | 88 sct->timestamp = |
89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); | 89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); |
90 | 90 |
91 verified_scts->push_back(sct); | 91 verified_scts->push_back(sct); |
92 } | 92 } |
93 } | 93 } |
94 | 94 |
95 void FillListWithSCTsOfOrigin( | 95 void FillListWithSCTsOfOrigin( |
96 ct::SignedCertificateTimestamp::Origin desired_origin, | 96 ct::SignedCertificateTimestamp::Origin desired_origin, |
97 size_t num_scts, | 97 size_t num_scts, |
98 ct::SCTList* verified_scts) { | 98 ct::SCTList* verified_scts) { |
99 std::vector<std::string> desired_log_ids; | 99 std::vector<std::string> desired_log_ids; |
100 desired_log_ids.push_back(google_log_id_); | 100 desired_log_ids.push_back(google_log_id_); |
101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, | 101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, |
102 verified_scts); | 102 verified_scts); |
103 } | 103 } |
104 | 104 |
105 void FillSCTListWithRepeatedLogID(const std::string& desired_id, | |
106 size_t num_scts, | |
107 bool timestamp_past_enforcement_date, | |
108 ct::SCTList* verified_scts) { | |
109 std::vector<std::string> desired_log_ids(num_scts, desired_id); | |
110 | |
111 FillListWithSCTsOfOrigin( | |
112 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts, | |
113 desired_log_ids, timestamp_past_enforcement_date, verified_scts); | |
114 } | |
115 | |
116 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | 105 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
117 const base::Time& start, | 106 const base::Time& start, |
118 const base::Time& end, | 107 const base::Time& end, |
119 size_t required_scts) { | 108 size_t required_scts) { |
120 scoped_refptr<X509Certificate> cert( | 109 scoped_refptr<X509Certificate> cert( |
121 new X509Certificate("subject", "issuer", start, end)); | 110 new X509Certificate("subject", "issuer", start, end)); |
122 ct::SCTList scts; | |
123 | |
124 for (size_t i = 0; i < required_scts - 1; ++i) { | 111 for (size_t i = 0; i < required_scts - 1; ++i) { |
125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 112 ct::SCTList scts; |
Ryan Sleevi
2016/05/02 23:41:24
Changed because the original code was duplicating
| |
113 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, | |
126 std::vector<std::string>(), false, &scts); | 114 std::vector<std::string>(), false, &scts); |
127 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 115 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
128 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 116 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
129 BoundNetLog())) | 117 BoundNetLog())) |
130 << " for: " << (end - start).InDays() << " and " << required_scts | 118 << " for: " << (end - start).InDays() << " and " << required_scts |
131 << " scts=" << scts.size() << " i=" << i; | 119 << " scts=" << scts.size() << " i=" << i; |
132 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 120 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
133 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 121 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
134 scts, BoundNetLog())) | 122 scts, BoundNetLog())) |
135 << " for: " << (end - start).InDays() << " and " << required_scts | 123 << " for: " << (end - start).InDays() << " and " << required_scts |
136 << " scts=" << scts.size() << " i=" << i; | 124 << " scts=" << scts.size() << " i=" << i; |
137 } | 125 } |
138 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 126 ct::SCTList scts; |
139 std::vector<std::string>(), false, &scts); | 127 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
128 required_scts, std::vector<std::string>(), false, | |
129 &scts); | |
140 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 130 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
141 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 131 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
142 BoundNetLog())) | 132 BoundNetLog())) |
143 << " for: " << (end - start).InDays() << " and " << required_scts | 133 << " for: " << (end - start).InDays() << " and " << required_scts |
144 << " scts=" << scts.size(); | 134 << " scts=" << scts.size(); |
145 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 135 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
146 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 136 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
147 scts, BoundNetLog())) | 137 scts, BoundNetLog())) |
148 << " for: " << (end - start).InDays() << " and " << required_scts | 138 << " for: " << (end - start).InDays() << " and " << required_scts |
149 << " scts=" << scts.size(); | 139 << " scts=" << scts.size(); |
150 } | 140 } |
151 | 141 |
152 protected: | 142 protected: |
153 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; | 143 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; |
154 scoped_refptr<X509Certificate> chain_; | 144 scoped_refptr<X509Certificate> chain_; |
155 std::string google_log_id_; | 145 std::string google_log_id_; |
156 std::string non_google_log_id_; | 146 std::string non_google_log_id_; |
157 }; | 147 }; |
158 | 148 |
159 TEST_F(CTPolicyEnforcerTest, | 149 TEST_F(CTPolicyEnforcerTest, |
160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 150 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
161 ct::SCTList scts; | 151 ct::SCTList scts; |
162 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); | 152 std::vector<std::string> desired_log_ids(2, google_log_id_); |
153 | |
154 FillListWithSCTsOfOrigin( | |
155 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
156 desired_log_ids.size(), desired_log_ids, true, &scts); | |
Ryan Sleevi
2016/05/02 23:41:24
Trying to reduce magic boiler-plate because it too
| |
163 | 157 |
164 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 158 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
165 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 159 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
166 BoundNetLog())); | 160 BoundNetLog())); |
167 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 161 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
168 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 162 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
169 scts, BoundNetLog())); | 163 scts, BoundNetLog())); |
170 } | 164 } |
171 | 165 |
172 TEST_F(CTPolicyEnforcerTest, | 166 TEST_F(CTPolicyEnforcerTest, |
173 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 167 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
174 ct::SCTList scts; | 168 ct::SCTList scts; |
175 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); | 169 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
170 | |
171 FillListWithSCTsOfOrigin( | |
172 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
173 desired_log_ids.size(), desired_log_ids, true, &scts); | |
176 | 174 |
177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 175 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 176 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
179 BoundNetLog())); | 177 BoundNetLog())); |
180 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 178 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
181 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 179 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
182 scts, BoundNetLog())); | 180 scts, BoundNetLog())); |
183 } | 181 } |
184 | 182 |
185 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 183 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
186 ct::SCTList scts; | 184 ct::SCTList scts; |
187 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); | 185 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
186 // All 5 SCTs will be from non-Google logs. | |
187 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
188 std::vector<std::string>(), false, &scts); | |
Ryan Sleevi
2016/05/02 23:41:24
The old test relied on the TLS extension method, w
| |
188 | 189 |
189 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 190 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
190 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 191 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
191 BoundNetLog())); | 192 BoundNetLog())); |
192 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 193 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
193 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 194 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
194 scts, BoundNetLog())); | 195 scts, BoundNetLog())); |
195 } | 196 } |
196 | 197 |
197 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 198 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
(...skipping 16 matching lines...) Expand all Loading... | |
214 &scts); | 215 &scts); |
215 | 216 |
216 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 217 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
217 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 218 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
218 BoundNetLog())); | 219 BoundNetLog())); |
219 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 220 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
220 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 221 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
221 scts, BoundNetLog())); | 222 scts, BoundNetLog())); |
222 } | 223 } |
223 | 224 |
225 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { | |
226 ct::SCTList scts; | |
227 std::vector<std::string> desired_logs; | |
228 | |
229 // One Google log, delivered via OCSP. | |
230 desired_logs.clear(); | |
231 desired_logs.push_back(google_log_id_); | |
232 FillListWithSCTsOfOrigin( | |
233 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | |
234 desired_logs.size(), desired_logs, true, &scts); | |
235 | |
236 // One non-Google log, delivered via TLS. | |
237 desired_logs.clear(); | |
238 desired_logs.push_back(non_google_log_id_); | |
239 FillListWithSCTsOfOrigin( | |
240 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
241 desired_logs.size(), desired_logs, true, &scts); | |
242 | |
243 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | |
244 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
245 BoundNetLog())); | |
246 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
247 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
248 scts, BoundNetLog())); | |
249 } | |
250 | |
251 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { | |
252 ct::SCTList scts; | |
253 std::vector<std::string> desired_logs; | |
254 | |
255 // One Google log, delivered embedded. | |
256 desired_logs.clear(); | |
257 desired_logs.push_back(google_log_id_); | |
258 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
259 desired_logs.size(), desired_logs, true, &scts); | |
260 | |
261 // One non-Google log, delivered via OCSP. | |
262 desired_logs.clear(); | |
263 desired_logs.push_back(non_google_log_id_); | |
264 FillListWithSCTsOfOrigin( | |
265 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | |
266 desired_logs.size(), desired_logs, true, &scts); | |
267 | |
268 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | |
269 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
270 BoundNetLog())); | |
271 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
272 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
273 scts, BoundNetLog())); | |
274 } | |
275 | |
224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 276 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
225 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 277 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
226 new DummyEVCertsWhitelist(true, false)); | 278 new DummyEVCertsWhitelist(true, false)); |
227 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 279 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
228 // However, as there are only two logs, two SCTs will be required - supply one | |
229 // to guarantee the test fails. | |
230 ct::SCTList scts; | 280 ct::SCTList scts; |
231 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 281 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
Ryan Sleevi
2016/05/02 23:41:24
The change to 2 here (and later on) is to ensure t
| |
232 &scts); | 282 &scts); |
233 | 283 |
234 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 284 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
235 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 285 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
236 BoundNetLog())); | 286 BoundNetLog())); |
237 EXPECT_EQ( | 287 EXPECT_EQ( |
238 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 288 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
239 policy_enforcer_->DoesConformToCTEVPolicy( | 289 policy_enforcer_->DoesConformToCTEVPolicy( |
240 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 290 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
241 | 291 |
242 // ... but should be OK if whitelisted. | 292 // ... but should be OK if whitelisted. |
243 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 293 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
244 new DummyEVCertsWhitelist(true, true)); | 294 new DummyEVCertsWhitelist(true, true)); |
245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 295 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
246 policy_enforcer_->DoesConformToCTEVPolicy( | 296 policy_enforcer_->DoesConformToCTEVPolicy( |
247 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 297 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
248 } | 298 } |
249 | 299 |
300 TEST_F(CTPolicyEnforcerTest, | |
301 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | |
302 ct::SCTList scts; | |
303 std::vector<std::string> desired_logs; | |
304 | |
305 // One Google Log. | |
306 desired_logs.clear(); | |
307 desired_logs.push_back(google_log_id_); | |
308 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
309 desired_logs.size(), desired_logs, true, &scts); | |
310 | |
311 // Two distinct non-Google logs. | |
312 desired_logs.clear(); | |
313 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); | |
314 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); | |
315 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
316 desired_logs.size(), desired_logs, true, &scts); | |
317 | |
318 // Two unique SCTs from the same non-Google log. | |
319 desired_logs.clear(); | |
320 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | |
321 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | |
322 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
323 desired_logs.size(), desired_logs, true, &scts); | |
324 | |
325 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
326 // However, there are only 4 SCTs are from distinct logs. | |
327 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | |
328 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
329 BoundNetLog())); | |
330 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
331 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
332 scts, BoundNetLog())); | |
333 } | |
334 | |
250 // TODO(estark): fix this test so that it can check if | 335 // TODO(estark): fix this test so that it can check if |
251 // |no_valid_dates_cert| is on the whitelist without | 336 // |no_valid_dates_cert| is on the whitelist without |
252 // crashing. https://crbug.com/582740 | 337 // crashing. https://crbug.com/582740 |
253 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { | 338 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
254 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 339 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
255 "subject", "issuer", base::Time(), base::Time::Now())); | 340 "subject", "issuer", base::Time(), base::Time::Now())); |
256 ct::SCTList scts; | 341 ct::SCTList scts; |
257 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 342 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
258 &scts); | 343 &scts); |
259 ASSERT_TRUE(no_valid_dates_cert); | 344 ASSERT_TRUE(no_valid_dates_cert); |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
314 kTestData[i].validity_start, kTestData[i].validity_end, | 399 kTestData[i].validity_start, kTestData[i].validity_end, |
315 kTestData[i].scts_required); | 400 kTestData[i].scts_required); |
316 } | 401 } |
317 } | 402 } |
318 | 403 |
319 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 404 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
320 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 405 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
321 new DummyEVCertsWhitelist(true, true)); | 406 new DummyEVCertsWhitelist(true, true)); |
322 | 407 |
323 ct::SCTList scts; | 408 ct::SCTList scts; |
324 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 409 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
325 &scts); | 410 &scts); |
326 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 411 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
327 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 412 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
328 BoundNetLog())); | 413 BoundNetLog())); |
329 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 414 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
330 policy_enforcer_->DoesConformToCTEVPolicy( | 415 policy_enforcer_->DoesConformToCTEVPolicy( |
331 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 416 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
332 } | 417 } |
333 | 418 |
334 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 419 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
335 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 420 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
336 new DummyEVCertsWhitelist(false, true)); | 421 new DummyEVCertsWhitelist(false, true)); |
337 | 422 |
338 ct::SCTList scts; | 423 ct::SCTList scts; |
339 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 424 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
340 &scts); | 425 &scts); |
341 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 426 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
342 policy_enforcer_->DoesConformToCTEVPolicy( | 427 policy_enforcer_->DoesConformToCTEVPolicy( |
343 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 428 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
344 } | 429 } |
345 | 430 |
346 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 431 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
347 ct::SCTList scts; | 432 ct::SCTList scts; |
348 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 433 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
349 &scts); | 434 &scts); |
350 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 435 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
351 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 436 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
352 scts, BoundNetLog())); | 437 scts, BoundNetLog())); |
353 } | 438 } |
354 | 439 |
355 } // namespace | 440 } // namespace |
356 | 441 |
357 } // namespace net | 442 } // namespace net |
OLD | NEW |