net/cert/ct_policy_enforcer_unittest.cc - Issue 1956273003: Revert of Mark the Certly.io log as disqualified, as of April 15 2016

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 1956273003: Revert of Mark the Certly.io log as disqualified, as of April 15 2016 (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@log_diversity

Patch Set: rebase Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/ct_policy_enforcer.h"	5 #include "net/cert/ct_policy_enforcer.h"

6	6

7 #include <memory>	7 #include <memory>

8 #include <string>	8 #include <string>

9	9

10 #include "base/time/time.h"	10 #include "base/time/time.h"

(...skipping 63 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
74 ct::SCTList* verified_scts) {	74 ct::SCTList* verified_scts) {

75 for (size_t i = 0; i < num_scts; ++i) {	75 for (size_t i = 0; i < num_scts; ++i) {

76 scoped_refptr<ct::SignedCertificateTimestamp> sct(	76 scoped_refptr<ct::SignedCertificateTimestamp> sct(

77 new ct::SignedCertificateTimestamp());	77 new ct::SignedCertificateTimestamp());

78 sct->origin = desired_origin;	78 sct->origin = desired_origin;

79 if (i < desired_log_keys.size())	79 if (i < desired_log_keys.size())

80 sct->log_id = desired_log_keys[i];	80 sct->log_id = desired_log_keys[i];

81 else	81 else

82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i));	82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i));

83	83

84 if (timestamp_past_enforcement_date) {	84 if (timestamp_past_enforcement_date)

85 sct->timestamp =	85 sct->timestamp =

86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0});	86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0});

87 } else {	87 else

88 sct->timestamp =	88 sct->timestamp =

89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0});	89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0});

90 }

91	90

92 verified_scts->push_back(sct);	91 verified_scts->push_back(sct);

93 }	92 }

94 }	93 }

95	94

96 void AddDisqualifiedLogSCT(

97 ct::SignedCertificateTimestamp::Origin desired_origin,

98 bool timestamp_after_disqualification_date,

99 ct::SCTList* verified_scts) {

100 static const char kCertlyLogID[] =

101 "\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e"

102 "\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00";

103 static_assert(arraysize(kCertlyLogID) - 1 == crypto::kSHA256Length,

104 "Incorrect log ID length.");

105

106 scoped_refptr<ct::SignedCertificateTimestamp> sct(

107 new ct::SignedCertificateTimestamp());

108 sct->origin = desired_origin;

109 sct->log_id = std::string(kCertlyLogID, crypto::kSHA256Length);

110 if (timestamp_after_disqualification_date) {

111 sct->timestamp =

112 base::Time::FromUTCExploded({2016, 4, 0, 16, 0, 0, 0, 0});

113 } else {

114 sct->timestamp = base::Time::FromUTCExploded({2016, 4, 0, 1, 0, 0, 0, 0});

115 }

116

117 verified_scts->push_back(sct);

118 }

119

120 void FillListWithSCTsOfOrigin(	95 void FillListWithSCTsOfOrigin(

121 ct::SignedCertificateTimestamp::Origin desired_origin,	96 ct::SignedCertificateTimestamp::Origin desired_origin,

122 size_t num_scts,	97 size_t num_scts,

123 ct::SCTList* verified_scts) {	98 ct::SCTList* verified_scts) {

124 std::vector<std::string> desired_log_ids;	99 std::vector<std::string> desired_log_ids;

125 desired_log_ids.push_back(google_log_id_);	100 desired_log_ids.push_back(google_log_id_);

126 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true,	101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true,

127 verified_scts);	102 verified_scts);

128 }	103 }

129	104

(...skipping 185 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
315 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog()));	290 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog()));

316	291

317 // ... but should be OK if whitelisted.	292 // ... but should be OK if whitelisted.

318 scoped_refptr<ct::EVCertsWhitelist> whitelist(	293 scoped_refptr<ct::EVCertsWhitelist> whitelist(

319 new DummyEVCertsWhitelist(true, true));	294 new DummyEVCertsWhitelist(true, true));

320 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,	295 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,

321 policy_enforcer_->DoesConformToCTEVPolicy(	296 policy_enforcer_->DoesConformToCTEVPolicy(

322 chain_.get(), whitelist.get(), scts, BoundNetLog()));	297 chain_.get(), whitelist.get(), scts, BoundNetLog()));

323 }	298 }

324	299

325 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {

326 ct::SCTList scts;

327

328 // The results should be the same before and after disqualification,

329 // regardless of the delivery method.

330

331 // SCT from before disqualification.

332 scts.clear();

333 FillListWithSCTsOfOrigin(

334 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);

335 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,

336 false, &scts);

337 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,

338 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

339 BoundNetLog()));

340 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,

341 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

342 scts, BoundNetLog()));

343

344 // SCT from after disqualification.

345 scts.clear();

346 FillListWithSCTsOfOrigin(

347 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);

348 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,

349 true, &scts);

350 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,

351 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

352 BoundNetLog()));

353 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,

354 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

355 scts, BoundNetLog()));

356

357 // Embedded SCT from before disqualification.

358 scts.clear();

359 FillListWithSCTsOfOrigin(

360 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);

361 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false,

362 &scts);

363 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,

364 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

365 BoundNetLog()));

366 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,

367 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

368 scts, BoundNetLog()));

369

370 // Embedded SCT from after disqualification.

371 scts.clear();

372 FillListWithSCTsOfOrigin(

373 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);

374 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,

375 &scts);

376 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,

377 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

378 BoundNetLog()));

379 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,

380 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

381 scts, BoundNetLog()));

382 }

383

384 TEST_F(CTPolicyEnforcerTest,

385 ConformsWithDisqualifiedLogBeforeDisqualificationDate) {

386 ct::SCTList scts;

387 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,

388 &scts);

389 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false,

390 &scts);

391

392 // \|chain_\| is valid for 10 years - over 121 months - so requires 5 SCTs.

393 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,

394 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

395 BoundNetLog()));

396 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,

397 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

398 scts, BoundNetLog()));

399 }

400

401 TEST_F(CTPolicyEnforcerTest,

402 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) {

403 ct::SCTList scts;

404 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,

405 &scts);

406 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,

407 &scts);

408

409 // \|chain_\| is valid for 10 years - over 121 months - so requires 5 SCTs.

410 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,

411 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

412 BoundNetLog()));

413 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,

414 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

415 scts, BoundNetLog()));

416 }

417

418 TEST_F(CTPolicyEnforcerTest,

419 DoesNotConformWithIssuanceDateAfterDisqualificationDate) {

420 ct::SCTList scts;

421 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,

422 &scts);

423 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,

424 &scts);

425 // Make sure all SCTs are after the disqualification date.

426 for (size_t i = 1; i < scts.size(); ++i)

427 scts[i]->timestamp = scts[0]->timestamp;

428

429 // \|chain_\| is valid for 10 years - over 121 months - so requires 5 SCTs.

430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,

431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,

432 BoundNetLog()));

433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,

434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

435 scts, BoundNetLog()));

436 }

437

438 TEST_F(CTPolicyEnforcerTest,	300 TEST_F(CTPolicyEnforcerTest,

439 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) {	301 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) {

440 ct::SCTList scts;	302 ct::SCTList scts;

441 std::vector<std::string> desired_logs;	303 std::vector<std::string> desired_logs;

442	304

443 // One Google Log.	305 // One Google Log.

444 desired_logs.clear();	306 desired_logs.clear();

445 desired_logs.push_back(google_log_id_);	307 desired_logs.push_back(google_log_id_);

446 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,	308 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,

447 desired_logs.size(), desired_logs, true, &scts);	309 desired_logs.size(), desired_logs, true, &scts);

(...skipping 123 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
571 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,	433 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,

572 &scts);	434 &scts);

573 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,	435 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,

574 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,	436 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,

575 scts, BoundNetLog()));	437 scts, BoundNetLog()));

576 }	438 }

577	439

578 } // namespace	440 } // namespace

579	441

580 } // namespace net	442 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | no next file » | no next file with comments »