| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 200 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 200 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 201 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 201 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 202 BoundNetLog())); | 202 BoundNetLog())); |
| 203 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 203 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 204 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 204 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 205 scts, BoundNetLog())); | 205 scts, BoundNetLog())); |
| 206 } | 206 } |
| 207 | 207 |
| 208 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 208 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
| 209 ct::SCTList scts; | 209 ct::SCTList scts; |
| 210 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 210 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 211 // All 5 SCTs will be from non-Google logs. | 211 // All 5 SCTs will be from non-Google logs. |
| 212 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 212 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 213 std::vector<std::string>(), false, &scts); | 213 std::vector<std::string>(), false, &scts); |
| 214 | 214 |
| 215 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 215 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 216 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 216 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 217 BoundNetLog())); | 217 BoundNetLog())); |
| 218 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 218 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 219 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 219 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 220 scts, BoundNetLog())); | 220 scts, BoundNetLog())); |
| 221 } | 221 } |
| 222 | 222 |
| 223 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 223 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 224 ct::SCTList scts; | 224 ct::SCTList scts; |
| 225 FillListWithSCTsOfOrigin( | 225 FillListWithSCTsOfOrigin( |
| 226 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 226 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
| 227 | 227 |
| 228 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 228 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 229 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 229 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 230 BoundNetLog())); | 230 BoundNetLog())); |
| 231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 231 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 232 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 232 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 233 scts, BoundNetLog())); | 233 scts, BoundNetLog())); |
| 234 } | 234 } |
| 235 | 235 |
| 236 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 236 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 237 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 237 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 238 ct::SCTList scts; | 238 ct::SCTList scts; |
| 239 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 239 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 240 &scts); | 240 &scts); |
| 241 | 241 |
| 242 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 242 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 243 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 243 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 244 BoundNetLog())); | 244 BoundNetLog())); |
| 245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 245 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 246 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 246 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 247 scts, BoundNetLog())); | 247 scts, BoundNetLog())); |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 294 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 294 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 295 BoundNetLog())); | 295 BoundNetLog())); |
| 296 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 296 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 297 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 297 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 298 scts, BoundNetLog())); | 298 scts, BoundNetLog())); |
| 299 } | 299 } |
| 300 | 300 |
| 301 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 301 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 302 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 302 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 303 new DummyEVCertsWhitelist(true, false)); | 303 new DummyEVCertsWhitelist(true, false)); |
| 304 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 304 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 305 ct::SCTList scts; | 305 ct::SCTList scts; |
| 306 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 306 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 307 &scts); | 307 &scts); |
| 308 | 308 |
| 309 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 309 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 310 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 310 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 311 BoundNetLog())); | 311 BoundNetLog())); |
| 312 EXPECT_EQ( | 312 EXPECT_EQ( |
| 313 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 313 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 314 policy_enforcer_->DoesConformToCTEVPolicy( | 314 policy_enforcer_->DoesConformToCTEVPolicy( |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 382 } | 382 } |
| 383 | 383 |
| 384 TEST_F(CTPolicyEnforcerTest, | 384 TEST_F(CTPolicyEnforcerTest, |
| 385 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { | 385 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { |
| 386 ct::SCTList scts; | 386 ct::SCTList scts; |
| 387 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 387 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 388 &scts); | 388 &scts); |
| 389 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 389 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
| 390 &scts); | 390 &scts); |
| 391 | 391 |
| 392 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 392 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 393 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 393 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 394 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 394 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 395 BoundNetLog())); | 395 BoundNetLog())); |
| 396 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 396 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 397 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 397 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 398 scts, BoundNetLog())); | 398 scts, BoundNetLog())); |
| 399 } | 399 } |
| 400 | 400 |
| 401 TEST_F(CTPolicyEnforcerTest, | 401 TEST_F(CTPolicyEnforcerTest, |
| 402 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { | 402 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { |
| 403 ct::SCTList scts; | 403 ct::SCTList scts; |
| 404 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 404 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 405 &scts); | 405 &scts); |
| 406 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 406 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 407 &scts); | 407 &scts); |
| 408 | 408 |
| 409 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 409 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 410 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 410 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 411 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 411 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 412 BoundNetLog())); | 412 BoundNetLog())); |
| 413 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 413 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 414 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 414 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 415 scts, BoundNetLog())); | 415 scts, BoundNetLog())); |
| 416 } | 416 } |
| 417 | 417 |
| 418 TEST_F(CTPolicyEnforcerTest, | 418 TEST_F(CTPolicyEnforcerTest, |
| 419 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { | 419 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { |
| 420 ct::SCTList scts; | 420 ct::SCTList scts; |
| 421 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 421 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 422 &scts); | 422 &scts); |
| 423 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 423 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 424 &scts); | 424 &scts); |
| 425 // Make sure all SCTs are after the disqualification date. | 425 // Make sure all SCTs are after the disqualification date. |
| 426 for (size_t i = 1; i < scts.size(); ++i) | 426 for (size_t i = 1; i < scts.size(); ++i) |
| 427 scts[i]->timestamp = scts[0]->timestamp; | 427 scts[i]->timestamp = scts[0]->timestamp; |
| 428 | 428 |
| 429 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 429 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 432 BoundNetLog())); | 432 BoundNetLog())); |
| 433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 435 scts, BoundNetLog())); | 435 scts, BoundNetLog())); |
| 436 } | 436 } |
| 437 | 437 |
| 438 TEST_F(CTPolicyEnforcerTest, | 438 TEST_F(CTPolicyEnforcerTest, |
| 439 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | 439 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { |
| (...skipping 13 matching lines...) Expand all Loading... |
| 453 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 453 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 454 desired_logs.size(), desired_logs, true, &scts); | 454 desired_logs.size(), desired_logs, true, &scts); |
| 455 | 455 |
| 456 // Two unique SCTs from the same non-Google log. | 456 // Two unique SCTs from the same non-Google log. |
| 457 desired_logs.clear(); | 457 desired_logs.clear(); |
| 458 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 458 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 459 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 459 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 460 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 460 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 461 desired_logs.size(), desired_logs, true, &scts); | 461 desired_logs.size(), desired_logs, true, &scts); |
| 462 | 462 |
| 463 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 463 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 464 // However, there are only 4 SCTs are from distinct logs. | 464 // However, there are only 4 SCTs are from distinct logs. |
| 465 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 465 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 466 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 466 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 467 BoundNetLog())); | 467 BoundNetLog())); |
| 468 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 468 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 469 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 469 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 470 scts, BoundNetLog())); | 470 scts, BoundNetLog())); |
| 471 } | 471 } |
| 472 | 472 |
| 473 // TODO(estark): fix this test so that it can check if | 473 // TODO(estark): fix this test so that it can check if |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 571 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 571 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 572 &scts); | 572 &scts); |
| 573 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 573 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 574 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 574 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 575 scts, BoundNetLog())); | 575 scts, BoundNetLog())); |
| 576 } | 576 } |
| 577 | 577 |
| 578 } // namespace | 578 } // namespace |
| 579 | 579 |
| 580 } // namespace net | 580 } // namespace net |
| OLD | NEW |