Chromium Code Reviews Chromium Code Reviews
Issue 1941973002:
Align the CT Implementation with Policy (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 56 class CTPolicyEnforcerTest : public ::testing::Test { | 56 class CTPolicyEnforcerTest : public ::testing::Test { |
| 57 public: | 57 public: |
| 58 void SetUp() override { | 58 void SetUp() override { |
| 59 policy_enforcer_.reset(new CTPolicyEnforcer); | 59 policy_enforcer_.reset(new CTPolicyEnforcer); |
| 60 | 60 |
| 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 61 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
| 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | 62 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
| 63 der_test_cert.size()); | 63 der_test_cert.size()); |
| 64 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
| 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); | 65 google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length); |
| 66 non_google_log_id_.assign(crypto::kSHA256Length, 'A'); | 66 non_google_log_id_.assign(crypto::kSHA256Length, 1); |
| 67 } | 67 } |
| 68 | 68 |
| 69 void FillListWithSCTsOfOrigin( | 69 void FillListWithSCTsOfOrigin( |
| 70 ct::SignedCertificateTimestamp::Origin desired_origin, | 70 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 71 size_t num_scts, | 71 size_t num_scts, |
| 72 const std::vector<std::string>& desired_log_keys, | 72 const std::vector<std::string>& desired_log_keys, |
| 73 bool timestamp_past_enforcement_date, | 73 bool timestamp_past_enforcement_date, |
| 74 ct::SCTList* verified_scts) { | 74 ct::SCTList* verified_scts) { |
| 75 for (size_t i = 0; i < num_scts; ++i) { | 75 for (size_t i = 0; i < num_scts; ++i) { |
| 76 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 76 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 77 new ct::SignedCertificateTimestamp()); | 77 new ct::SignedCertificateTimestamp()); |
| 78 sct->origin = desired_origin; | 78 sct->origin = desired_origin; |
| 79 if (i < desired_log_keys.size()) | 79 if (i < desired_log_keys.size()) |
| 80 sct->log_id = desired_log_keys[i]; | 80 sct->log_id = desired_log_keys[i]; |
| 81 else | 81 else |
| 82 sct->log_id = non_google_log_id_; | 82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i)); |
| 83 | 83 |
| 84 if (timestamp_past_enforcement_date) | 84 if (timestamp_past_enforcement_date) |
| 85 sct->timestamp = | 85 sct->timestamp = |
| 86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); | 86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); |
| 87 else | 87 else |
| 88 sct->timestamp = | 88 sct->timestamp = |
| 89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); | 89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); |
| 90 | 90 |
| 91 verified_scts->push_back(sct); | 91 verified_scts->push_back(sct); |
| 92 } | 92 } |
| 93 } | 93 } |
| 94 | 94 |
| 95 void FillListWithSCTsOfOrigin( | 95 void FillListWithSCTsOfOrigin( |
| 96 ct::SignedCertificateTimestamp::Origin desired_origin, | 96 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 97 size_t num_scts, | 97 size_t num_scts, |
| 98 ct::SCTList* verified_scts) { | 98 ct::SCTList* verified_scts) { |
| 99 std::vector<std::string> desired_log_ids; | 99 std::vector<std::string> desired_log_ids; |
| 100 desired_log_ids.push_back(google_log_id_); | 100 desired_log_ids.push_back(google_log_id_); |
| 101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, | 101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, |
| 102 verified_scts); | 102 verified_scts); |
| 103 } | 103 } |
| 104 | 104 |
| 105 void FillSCTListWithRepeatedLogID(const std::string& desired_id, | |
| 106 size_t num_scts, | |
| 107 bool timestamp_past_enforcement_date, | |
| 108 ct::SCTList* verified_scts) { | |
| 109 std::vector<std::string> desired_log_ids(num_scts, desired_id); | |
| 110 | |
| 111 FillListWithSCTsOfOrigin( | |
| 112 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts, | |
| 113 desired_log_ids, timestamp_past_enforcement_date, verified_scts); | |
| 114 } | |
| 115 | |
| 116 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( | 105 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs( |
| 117 const base::Time& start, | 106 const base::Time& start, |
| 118 const base::Time& end, | 107 const base::Time& end, |
| 119 size_t required_scts) { | 108 size_t required_scts) { |
| 120 scoped_refptr<X509Certificate> cert( | 109 scoped_refptr<X509Certificate> cert( |
| 121 new X509Certificate("subject", "issuer", start, end)); | 110 new X509Certificate("subject", "issuer", start, end)); |
| 122 ct::SCTList scts; | |
| 123 | |
| 124 for (size_t i = 0; i < required_scts - 1; ++i) { | 111 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 125 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 112 ct::SCTList scts; |
|
Ryan Sleevi
2016/05/02 23:41:24
Changed because the original code was duplicating
| |
| 113 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, | |
| 126 std::vector<std::string>(), false, &scts); | 114 std::vector<std::string>(), false, &scts); |
| 127 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 115 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 128 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 116 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 129 BoundNetLog())) | 117 BoundNetLog())) |
| 130 << " for: " << (end - start).InDays() << " and " << required_scts | 118 << " for: " << (end - start).InDays() << " and " << required_scts |
| 131 << " scts=" << scts.size() << " i=" << i; | 119 << " scts=" << scts.size() << " i=" << i; |
| 132 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 120 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 133 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 121 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
| 134 scts, BoundNetLog())) | 122 scts, BoundNetLog())) |
| 135 << " for: " << (end - start).InDays() << " and " << required_scts | 123 << " for: " << (end - start).InDays() << " and " << required_scts |
| 136 << " scts=" << scts.size() << " i=" << i; | 124 << " scts=" << scts.size() << " i=" << i; |
| 137 } | 125 } |
| 138 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 126 ct::SCTList scts; |
| 139 std::vector<std::string>(), false, &scts); | 127 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 128 required_scts, std::vector<std::string>(), false, | |
| 129 &scts); | |
| 140 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 130 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 141 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 131 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 142 BoundNetLog())) | 132 BoundNetLog())) |
| 143 << " for: " << (end - start).InDays() << " and " << required_scts | 133 << " for: " << (end - start).InDays() << " and " << required_scts |
| 144 << " scts=" << scts.size(); | 134 << " scts=" << scts.size(); |
| 145 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 135 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 146 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 136 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, |
| 147 scts, BoundNetLog())) | 137 scts, BoundNetLog())) |
| 148 << " for: " << (end - start).InDays() << " and " << required_scts | 138 << " for: " << (end - start).InDays() << " and " << required_scts |
| 149 << " scts=" << scts.size(); | 139 << " scts=" << scts.size(); |
| 150 } | 140 } |
| 151 | 141 |
| 152 protected: | 142 protected: |
| 153 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; | 143 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 154 scoped_refptr<X509Certificate> chain_; | 144 scoped_refptr<X509Certificate> chain_; |
| 155 std::string google_log_id_; | 145 std::string google_log_id_; |
| 156 std::string non_google_log_id_; | 146 std::string non_google_log_id_; |
| 157 }; | 147 }; |
| 158 | 148 |
| 159 TEST_F(CTPolicyEnforcerTest, | 149 TEST_F(CTPolicyEnforcerTest, |
| 160 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 150 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 161 ct::SCTList scts; | 151 ct::SCTList scts; |
| 162 FillSCTListWithRepeatedLogID(google_log_id_, 2, true, &scts); | 152 std::vector<std::string> desired_log_ids(2, google_log_id_); |
| 153 | |
| 154 FillListWithSCTsOfOrigin( | |
| 155 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
| 156 desired_log_ids.size(), desired_log_ids, true, &scts); | |
|
Ryan Sleevi
2016/05/02 23:41:24
Trying to reduce magic boiler-plate because it too
| |
| 163 | 157 |
| 164 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 158 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 165 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 159 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 166 BoundNetLog())); | 160 BoundNetLog())); |
| 167 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 161 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 168 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 162 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 169 scts, BoundNetLog())); | 163 scts, BoundNetLog())); |
| 170 } | 164 } |
| 171 | 165 |
| 172 TEST_F(CTPolicyEnforcerTest, | 166 TEST_F(CTPolicyEnforcerTest, |
| 173 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 167 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 174 ct::SCTList scts; | 168 ct::SCTList scts; |
| 175 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, true, &scts); | 169 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
| 170 | |
| 171 FillListWithSCTsOfOrigin( | |
| 172 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
| 173 desired_log_ids.size(), desired_log_ids, true, &scts); | |
| 176 | 174 |
| 177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 175 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 176 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 179 BoundNetLog())); | 177 BoundNetLog())); |
| 180 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 178 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 181 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 179 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 182 scts, BoundNetLog())); | 180 scts, BoundNetLog())); |
| 183 } | 181 } |
| 184 | 182 |
| 185 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 183 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 186 ct::SCTList scts; | 184 ct::SCTList scts; |
| 187 FillSCTListWithRepeatedLogID(non_google_log_id_, 2, false, &scts); | 185 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 186 // All 5 SCTs will be from non-Google logs. | |
| 187 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
| 188 std::vector<std::string>(), false, &scts); | |
|
Ryan Sleevi
2016/05/02 23:41:24
The old test relied on the TLS extension method, w
| |
| 188 | 189 |
| 189 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 190 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 190 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 191 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 191 BoundNetLog())); | 192 BoundNetLog())); |
| 192 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 193 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 193 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 194 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 194 scts, BoundNetLog())); | 195 scts, BoundNetLog())); |
| 195 } | 196 } |
| 196 | 197 |
| 197 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 198 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 214 &scts); | 215 &scts); |
| 215 | 216 |
| 216 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 217 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 217 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 218 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 218 BoundNetLog())); | 219 BoundNetLog())); |
| 219 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 220 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 220 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 221 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 221 scts, BoundNetLog())); | 222 scts, BoundNetLog())); |
| 222 } | 223 } |
| 223 | 224 |
| 225 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { | |
| 226 ct::SCTList scts; | |
| 227 std::vector<std::string> desired_logs; | |
| 228 | |
| 229 // One Google log, delivered via OCSP. | |
| 230 desired_logs.clear(); | |
| 231 desired_logs.push_back(google_log_id_); | |
| 232 FillListWithSCTsOfOrigin( | |
| 233 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | |
| 234 desired_logs.size(), desired_logs, true, &scts); | |
| 235 | |
| 236 // One non-Google log, delivered via TLS. | |
| 237 desired_logs.clear(); | |
| 238 desired_logs.push_back(non_google_log_id_); | |
| 239 FillListWithSCTsOfOrigin( | |
| 240 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
| 241 desired_logs.size(), desired_logs, true, &scts); | |
| 242 | |
| 243 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | |
| 244 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
| 245 BoundNetLog())); | |
| 246 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 247 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 248 scts, BoundNetLog())); | |
| 249 } | |
| 250 | |
| 251 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { | |
| 252 ct::SCTList scts; | |
| 253 std::vector<std::string> desired_logs; | |
| 254 | |
| 255 // One Google log, delivered embedded. | |
| 256 desired_logs.clear(); | |
| 257 desired_logs.push_back(google_log_id_); | |
| 258 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 259 desired_logs.size(), desired_logs, true, &scts); | |
| 260 | |
| 261 // One non-Google log, delivered via OCSP. | |
| 262 desired_logs.clear(); | |
| 263 desired_logs.push_back(non_google_log_id_); | |
| 264 FillListWithSCTsOfOrigin( | |
| 265 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | |
| 266 desired_logs.size(), desired_logs, true, &scts); | |
| 267 | |
| 268 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | |
| 269 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
| 270 BoundNetLog())); | |
| 271 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 272 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 273 scts, BoundNetLog())); | |
| 274 } | |
| 275 | |
| 224 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 276 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 225 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 277 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 226 new DummyEVCertsWhitelist(true, false)); | 278 new DummyEVCertsWhitelist(true, false)); |
| 227 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 279 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 228 // However, as there are only two logs, two SCTs will be required - supply one | |
| 229 // to guarantee the test fails. | |
| 230 ct::SCTList scts; | 280 ct::SCTList scts; |
| 231 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 281 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
|
Ryan Sleevi
2016/05/02 23:41:24
The change to 2 here (and later on) is to ensure t
| |
| 232 &scts); | 282 &scts); |
| 233 | 283 |
| 234 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 284 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 235 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 285 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 236 BoundNetLog())); | 286 BoundNetLog())); |
| 237 EXPECT_EQ( | 287 EXPECT_EQ( |
| 238 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 288 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 239 policy_enforcer_->DoesConformToCTEVPolicy( | 289 policy_enforcer_->DoesConformToCTEVPolicy( |
| 240 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 290 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
| 241 | 291 |
| 242 // ... but should be OK if whitelisted. | 292 // ... but should be OK if whitelisted. |
| 243 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 293 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 244 new DummyEVCertsWhitelist(true, true)); | 294 new DummyEVCertsWhitelist(true, true)); |
| 245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 295 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 246 policy_enforcer_->DoesConformToCTEVPolicy( | 296 policy_enforcer_->DoesConformToCTEVPolicy( |
| 247 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 297 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 248 } | 298 } |
| 249 | 299 |
| 300 TEST_F(CTPolicyEnforcerTest, | |
| 301 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | |
| 302 ct::SCTList scts; | |
| 303 std::vector<std::string> desired_logs; | |
| 304 | |
| 305 // One Google Log. | |
| 306 desired_logs.clear(); | |
| 307 desired_logs.push_back(google_log_id_); | |
| 308 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 309 desired_logs.size(), desired_logs, true, &scts); | |
| 310 | |
| 311 // Two distinct non-Google logs. | |
| 312 desired_logs.clear(); | |
| 313 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); | |
| 314 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); | |
| 315 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 316 desired_logs.size(), desired_logs, true, &scts); | |
| 317 | |
| 318 // Two unique SCTs from the same non-Google log. | |
| 319 desired_logs.clear(); | |
| 320 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | |
| 321 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | |
| 322 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 323 desired_logs.size(), desired_logs, true, &scts); | |
| 324 | |
| 325 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
| 326 // However, there are only 4 SCTs are from distinct logs. | |
| 327 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | |
| 328 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
| 329 BoundNetLog())); | |
| 330 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 331 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | |
| 332 scts, BoundNetLog())); | |
| 333 } | |
| 334 | |
| 250 // TODO(estark): fix this test so that it can check if | 335 // TODO(estark): fix this test so that it can check if |
| 251 // |no_valid_dates_cert| is on the whitelist without | 336 // |no_valid_dates_cert| is on the whitelist without |
| 252 // crashing. https://crbug.com/582740 | 337 // crashing. https://crbug.com/582740 |
| 253 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { | 338 TEST_F(CTPolicyEnforcerTest, DISABLED_DoesNotConformToPolicyInvalidDates) { |
| 254 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 339 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 255 "subject", "issuer", base::Time(), base::Time::Now())); | 340 "subject", "issuer", base::Time(), base::Time::Now())); |
| 256 ct::SCTList scts; | 341 ct::SCTList scts; |
| 257 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 342 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 258 &scts); | 343 &scts); |
| 259 ASSERT_TRUE(no_valid_dates_cert); | 344 ASSERT_TRUE(no_valid_dates_cert); |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 314 kTestData[i].validity_start, kTestData[i].validity_end, | 399 kTestData[i].validity_start, kTestData[i].validity_end, |
| 315 kTestData[i].scts_required); | 400 kTestData[i].scts_required); |
| 316 } | 401 } |
| 317 } | 402 } |
| 318 | 403 |
| 319 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 404 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 320 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 405 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 321 new DummyEVCertsWhitelist(true, true)); | 406 new DummyEVCertsWhitelist(true, true)); |
| 322 | 407 |
| 323 ct::SCTList scts; | 408 ct::SCTList scts; |
| 324 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 409 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 325 &scts); | 410 &scts); |
| 326 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 411 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 327 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 412 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 328 BoundNetLog())); | 413 BoundNetLog())); |
| 329 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 414 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
| 330 policy_enforcer_->DoesConformToCTEVPolicy( | 415 policy_enforcer_->DoesConformToCTEVPolicy( |
| 331 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 416 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 332 } | 417 } |
| 333 | 418 |
| 334 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 419 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 335 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 420 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 336 new DummyEVCertsWhitelist(false, true)); | 421 new DummyEVCertsWhitelist(false, true)); |
| 337 | 422 |
| 338 ct::SCTList scts; | 423 ct::SCTList scts; |
| 339 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 424 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 340 &scts); | 425 &scts); |
| 341 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 426 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 342 policy_enforcer_->DoesConformToCTEVPolicy( | 427 policy_enforcer_->DoesConformToCTEVPolicy( |
| 343 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 428 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
| 344 } | 429 } |
| 345 | 430 |
| 346 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 431 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 347 ct::SCTList scts; | 432 ct::SCTList scts; |
| 348 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 433 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 349 &scts); | 434 &scts); |
| 350 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 435 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 351 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 436 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 352 scts, BoundNetLog())); | 437 scts, BoundNetLog())); |
| 353 } | 438 } |
| 354 | 439 |
| 355 } // namespace | 440 } // namespace |
| 356 | 441 |
| 357 } // namespace net | 442 } // namespace net |
| OLD | NEW |
