OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
74 ct::SCTList* verified_scts) { | 74 ct::SCTList* verified_scts) { |
75 for (size_t i = 0; i < num_scts; ++i) { | 75 for (size_t i = 0; i < num_scts; ++i) { |
76 scoped_refptr<ct::SignedCertificateTimestamp> sct( | 76 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
77 new ct::SignedCertificateTimestamp()); | 77 new ct::SignedCertificateTimestamp()); |
78 sct->origin = desired_origin; | 78 sct->origin = desired_origin; |
79 if (i < desired_log_keys.size()) | 79 if (i < desired_log_keys.size()) |
80 sct->log_id = desired_log_keys[i]; | 80 sct->log_id = desired_log_keys[i]; |
81 else | 81 else |
82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i)); | 82 sct->log_id = std::string(crypto::kSHA256Length, static_cast<char>(i)); |
83 | 83 |
84 if (timestamp_past_enforcement_date) | 84 if (timestamp_past_enforcement_date) { |
85 sct->timestamp = | 85 sct->timestamp = |
86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); | 86 base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0}); |
87 else | 87 } else { |
88 sct->timestamp = | 88 sct->timestamp = |
89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); | 89 base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0}); |
| 90 } |
90 | 91 |
91 verified_scts->push_back(sct); | 92 verified_scts->push_back(sct); |
92 } | 93 } |
93 } | 94 } |
94 | 95 |
| 96 void AddDisqualifiedLogSCT( |
| 97 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 98 bool timestamp_after_disqualification_date, |
| 99 ct::SCTList* verified_scts) { |
| 100 static const char kCertlyLogID[] = |
| 101 "\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e" |
| 102 "\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"; |
| 103 static_assert(arraysize(kCertlyLogID) - 1 == crypto::kSHA256Length, |
| 104 "Incorrect log ID length."); |
| 105 |
| 106 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 107 new ct::SignedCertificateTimestamp()); |
| 108 sct->origin = desired_origin; |
| 109 sct->log_id = std::string(kCertlyLogID, crypto::kSHA256Length); |
| 110 if (timestamp_after_disqualification_date) { |
| 111 sct->timestamp = |
| 112 base::Time::FromUTCExploded({2016, 4, 0, 16, 0, 0, 0, 0}); |
| 113 } else { |
| 114 sct->timestamp = base::Time::FromUTCExploded({2016, 4, 0, 1, 0, 0, 0, 0}); |
| 115 } |
| 116 |
| 117 verified_scts->push_back(sct); |
| 118 } |
| 119 |
95 void FillListWithSCTsOfOrigin( | 120 void FillListWithSCTsOfOrigin( |
96 ct::SignedCertificateTimestamp::Origin desired_origin, | 121 ct::SignedCertificateTimestamp::Origin desired_origin, |
97 size_t num_scts, | 122 size_t num_scts, |
98 ct::SCTList* verified_scts) { | 123 ct::SCTList* verified_scts) { |
99 std::vector<std::string> desired_log_ids; | 124 std::vector<std::string> desired_log_ids; |
100 desired_log_ids.push_back(google_log_id_); | 125 desired_log_ids.push_back(google_log_id_); |
101 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, | 126 FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true, |
102 verified_scts); | 127 verified_scts); |
103 } | 128 } |
104 | 129 |
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
290 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 315 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); |
291 | 316 |
292 // ... but should be OK if whitelisted. | 317 // ... but should be OK if whitelisted. |
293 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 318 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
294 new DummyEVCertsWhitelist(true, true)); | 319 new DummyEVCertsWhitelist(true, true)); |
295 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 320 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
296 policy_enforcer_->DoesConformToCTEVPolicy( | 321 policy_enforcer_->DoesConformToCTEVPolicy( |
297 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 322 chain_.get(), whitelist.get(), scts, BoundNetLog())); |
298 } | 323 } |
299 | 324 |
| 325 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
| 326 ct::SCTList scts; |
| 327 |
| 328 // The results should be the same before and after disqualification, |
| 329 // regardless of the delivery method. |
| 330 |
| 331 // SCT from before disqualification. |
| 332 scts.clear(); |
| 333 FillListWithSCTsOfOrigin( |
| 334 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 335 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 336 false, &scts); |
| 337 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 338 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 339 BoundNetLog())); |
| 340 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 341 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 342 scts, BoundNetLog())); |
| 343 |
| 344 // SCT from after disqualification. |
| 345 scts.clear(); |
| 346 FillListWithSCTsOfOrigin( |
| 347 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 348 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 349 true, &scts); |
| 350 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 351 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 352 BoundNetLog())); |
| 353 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 354 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 355 scts, BoundNetLog())); |
| 356 |
| 357 // Embedded SCT from before disqualification. |
| 358 scts.clear(); |
| 359 FillListWithSCTsOfOrigin( |
| 360 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 361 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
| 362 &scts); |
| 363 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 364 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 365 BoundNetLog())); |
| 366 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 367 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 368 scts, BoundNetLog())); |
| 369 |
| 370 // Embedded SCT from after disqualification. |
| 371 scts.clear(); |
| 372 FillListWithSCTsOfOrigin( |
| 373 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 374 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 375 &scts); |
| 376 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 377 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 378 BoundNetLog())); |
| 379 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
| 380 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 381 scts, BoundNetLog())); |
| 382 } |
| 383 |
| 384 TEST_F(CTPolicyEnforcerTest, |
| 385 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { |
| 386 ct::SCTList scts; |
| 387 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 388 &scts); |
| 389 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
| 390 &scts); |
| 391 |
| 392 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 393 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 394 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 395 BoundNetLog())); |
| 396 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
| 397 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 398 scts, BoundNetLog())); |
| 399 } |
| 400 |
| 401 TEST_F(CTPolicyEnforcerTest, |
| 402 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { |
| 403 ct::SCTList scts; |
| 404 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 405 &scts); |
| 406 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 407 &scts); |
| 408 |
| 409 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 410 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 411 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 412 BoundNetLog())); |
| 413 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 414 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 415 scts, BoundNetLog())); |
| 416 } |
| 417 |
| 418 TEST_F(CTPolicyEnforcerTest, |
| 419 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { |
| 420 ct::SCTList scts; |
| 421 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 422 &scts); |
| 423 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 424 &scts); |
| 425 // Make sure all SCTs are after the disqualification date. |
| 426 for (size_t i = 1; i < scts.size(); ++i) |
| 427 scts[i]->timestamp = scts[0]->timestamp; |
| 428 |
| 429 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 432 BoundNetLog())); |
| 433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
| 434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 435 scts, BoundNetLog())); |
| 436 } |
| 437 |
300 TEST_F(CTPolicyEnforcerTest, | 438 TEST_F(CTPolicyEnforcerTest, |
301 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | 439 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { |
302 ct::SCTList scts; | 440 ct::SCTList scts; |
303 std::vector<std::string> desired_logs; | 441 std::vector<std::string> desired_logs; |
304 | 442 |
305 // One Google Log. | 443 // One Google Log. |
306 desired_logs.clear(); | 444 desired_logs.clear(); |
307 desired_logs.push_back(google_log_id_); | 445 desired_logs.push_back(google_log_id_); |
308 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 446 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
309 desired_logs.size(), desired_logs, true, &scts); | 447 desired_logs.size(), desired_logs, true, &scts); |
(...skipping 123 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
433 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 571 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
434 &scts); | 572 &scts); |
435 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 573 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
436 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 574 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
437 scts, BoundNetLog())); | 575 scts, BoundNetLog())); |
438 } | 576 } |
439 | 577 |
440 } // namespace | 578 } // namespace |
441 | 579 |
442 } // namespace net | 580 } // namespace net |
OLD | NEW |