Add CheckOCSPDateValid() to net/cert/internal

net/cert/internal/parse_ocsp_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/parse_ocsp.h"
 
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "net/cert/internal/test_helpers.h"
 #include "net/cert/x509_certificate.h"
+#include "net/der/encode_values.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
+const base::TimeDelta kOCSPAgeOneWeek = base::TimeDelta::FromDays(7);
+
 std::string GetFilePath(const std::string& file_name) {
   return std::string("net/data/parse_ocsp_unittest/") + file_name;
 }
 
 enum OCSPFailure {
   OCSP_SUCCESS,
   PARSE_CERT,
   PARSE_OCSP,
   OCSP_NOT_SUCCESSFUL,
   PARSE_OCSP_DATA,
@@ skipping 147 matching lines @@
 }
 
 TEST(ParseOCSPTest, OCSPOCSPSingleExtension) {
   ASSERT_EQ(OCSP_SUCCESS, ParseOCSP("has_single_extension.pem"));
 }
 
 TEST(ParseOCSPTest, OCSPMissingResponse) {
   ASSERT_EQ(PARSE_OCSP_SINGLE_RESPONSE, ParseOCSP("missing_response.pem"));
 }
 
+TEST(OCSPDateTest, Valid) {
+  OCSPSingleResponse response;
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now - base::TimeDelta::FromHours(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  base::Time next_update = this_update + base::TimeDelta::FromDays(7);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, ThisUpdateInTheFuture) {
+  OCSPSingleResponse response;
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now + base::TimeDelta::FromHours(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  base::Time next_update = this_update + base::TimeDelta::FromDays(7);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, NextUpdatePassed) {
+  OCSPSingleResponse response;
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now - base::TimeDelta::FromDays(6);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  base::Time next_update = now - base::TimeDelta::FromHours(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, NextUpdateBeforeThisUpdate) {
+  OCSPSingleResponse response;
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now - base::TimeDelta::FromDays(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  base::Time next_update = this_update - base::TimeDelta::FromDays(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, ThisUpdateOlderThanMaxAge) {
+  OCSPSingleResponse response;
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now - kOCSPAgeOneWeek;
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  base::Time next_update = now + base::TimeDelta::FromHours(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_TRUE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+
+  ASSERT_TRUE(der::EncodeTimeAsGeneralizedTime(
+      this_update - base::TimeDelta::FromSeconds(1), &response.this_update));
+  response.has_next_update = false;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+  response.has_next_update = true;
+  EXPECT_FALSE(CheckOCSPDateValid(response, now, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, VerifyTimeFromBeforeWindowsEpoch) {
+  OCSPSingleResponse response;
+  base::Time windows_epoch;
+  base::Time verify_time = windows_epoch - base::TimeDelta::FromDays(1);
+
+  base::Time now = base::Time::Now();
+  base::Time this_update = now - base::TimeDelta::FromHours(1);
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+  EXPECT_FALSE(CheckOCSPDateValid(response, verify_time, kOCSPAgeOneWeek));
+
+  base::Time next_update = this_update + kOCSPAgeOneWeek;
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(next_update, &response.next_update));
+  response.has_next_update = true;
+  EXPECT_FALSE(CheckOCSPDateValid(response, verify_time, kOCSPAgeOneWeek));
+}
+
+TEST(OCSPDateTest, VerifyTimeMinusAgeFromBeforeWindowsEpoch) {
+  OCSPSingleResponse response;
+  base::Time windows_epoch;
+  base::Time verify_time = windows_epoch + base::TimeDelta::FromDays(1);
+
+  base::Time this_update = windows_epoch;
+  ASSERT_TRUE(
+      der::EncodeTimeAsGeneralizedTime(this_update, &response.this_update));
+  response.has_next_update = false;
+#ifdef OS_WIN
+  EXPECT_FALSE(CheckOCSPDateValid(response, verify_time, kOCSPAgeOneWeek));
+#else
+  EXPECT_TRUE(CheckOCSPDateValid(response, verify_time, kOCSPAgeOneWeek));
+#endif
+}
+
 }  // namespace net