Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(363)

Side by Side Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 2351513002: net: rename BoundNetLog to NetLogWithSource (Closed)
Patch Set: one more fix, content bound_net_log_ Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/ct_policy_enforcer.h" 5 #include "net/cert/ct_policy_enforcer.h"
6 6
7 #include <memory> 7 #include <memory>
8 #include <string> 8 #include <string>
9 9
10 #include "base/time/time.h" 10 #include "base/time/time.h"
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after
140 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { 140 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
141 ct::SCTList scts; 141 ct::SCTList scts;
142 std::vector<std::string> desired_log_ids(2, google_log_id_); 142 std::vector<std::string> desired_log_ids(2, google_log_id_);
143 143
144 FillListWithSCTsOfOrigin( 144 FillListWithSCTsOfOrigin(
145 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 145 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
146 desired_log_ids.size(), desired_log_ids, true, &scts); 146 desired_log_ids.size(), desired_log_ids, true, &scts);
147 147
148 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 148 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
149 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 149 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
150 BoundNetLog())); 150 NetLogWithSource()));
151 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 151 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
152 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 152 policy_enforcer_->DoesConformToCTEVPolicy(
153 scts, BoundNetLog())); 153 chain_.get(), nullptr, scts, NetLogWithSource()));
154 } 154 }
155 155
156 TEST_F(CTPolicyEnforcerTest, 156 TEST_F(CTPolicyEnforcerTest,
157 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { 157 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
158 ct::SCTList scts; 158 ct::SCTList scts;
159 std::vector<std::string> desired_log_ids(2, non_google_log_id_); 159 std::vector<std::string> desired_log_ids(2, non_google_log_id_);
160 160
161 FillListWithSCTsOfOrigin( 161 FillListWithSCTsOfOrigin(
162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
163 desired_log_ids.size(), desired_log_ids, true, &scts); 163 desired_log_ids.size(), desired_log_ids, true, &scts);
164 164
165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
167 BoundNetLog())); 167 NetLogWithSource()));
168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
169 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 169 policy_enforcer_->DoesConformToCTEVPolicy(
170 scts, BoundNetLog())); 170 chain_.get(), nullptr, scts, NetLogWithSource()));
171 } 171 }
172 172
173 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { 173 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
174 ct::SCTList scts; 174 ct::SCTList scts;
175 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 175 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
176 // All 5 SCTs will be from non-Google logs. 176 // All 5 SCTs will be from non-Google logs.
177 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 177 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
178 std::vector<std::string>(), false, &scts); 178 std::vector<std::string>(), false, &scts);
179 179
180 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 180 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
181 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 181 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
182 BoundNetLog())); 182 NetLogWithSource()));
183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
184 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 184 policy_enforcer_->DoesConformToCTEVPolicy(
185 scts, BoundNetLog())); 185 chain_.get(), nullptr, scts, NetLogWithSource()));
186 } 186 }
187 187
188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { 188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
189 ct::SCTList scts; 189 ct::SCTList scts;
190 FillListWithSCTsOfOrigin( 190 FillListWithSCTsOfOrigin(
191 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); 191 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts);
192 192
193 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 193 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
194 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 194 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
195 BoundNetLog())); 195 NetLogWithSource()));
196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
197 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 197 policy_enforcer_->DoesConformToCTEVPolicy(
198 scts, BoundNetLog())); 198 chain_.get(), nullptr, scts, NetLogWithSource()));
199 } 199 }
200 200
201 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { 201 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
202 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 202 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
203 ct::SCTList scts; 203 ct::SCTList scts;
204 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, 204 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
205 &scts); 205 &scts);
206 206
207 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 207 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
208 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 208 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
209 BoundNetLog())); 209 NetLogWithSource()));
210 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 210 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
211 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 211 policy_enforcer_->DoesConformToCTEVPolicy(
212 scts, BoundNetLog())); 212 chain_.get(), nullptr, scts, NetLogWithSource()));
213 } 213 }
214 214
215 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { 215 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) {
216 ct::SCTList scts; 216 ct::SCTList scts;
217 std::vector<std::string> desired_logs; 217 std::vector<std::string> desired_logs;
218 218
219 // One Google log, delivered via OCSP. 219 // One Google log, delivered via OCSP.
220 desired_logs.clear(); 220 desired_logs.clear();
221 desired_logs.push_back(google_log_id_); 221 desired_logs.push_back(google_log_id_);
222 FillListWithSCTsOfOrigin( 222 FillListWithSCTsOfOrigin(
223 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, 223 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,
224 desired_logs.size(), desired_logs, true, &scts); 224 desired_logs.size(), desired_logs, true, &scts);
225 225
226 // One non-Google log, delivered via TLS. 226 // One non-Google log, delivered via TLS.
227 desired_logs.clear(); 227 desired_logs.clear();
228 desired_logs.push_back(non_google_log_id_); 228 desired_logs.push_back(non_google_log_id_);
229 FillListWithSCTsOfOrigin( 229 FillListWithSCTsOfOrigin(
230 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 230 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
231 desired_logs.size(), desired_logs, true, &scts); 231 desired_logs.size(), desired_logs, true, &scts);
232 232
233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
235 BoundNetLog())); 235 NetLogWithSource()));
236 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 236 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
237 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 237 policy_enforcer_->DoesConformToCTEVPolicy(
238 scts, BoundNetLog())); 238 chain_.get(), nullptr, scts, NetLogWithSource()));
239 } 239 }
240 240
241 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { 241 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) {
242 ct::SCTList scts; 242 ct::SCTList scts;
243 std::vector<std::string> desired_logs; 243 std::vector<std::string> desired_logs;
244 244
245 // One Google log, delivered embedded. 245 // One Google log, delivered embedded.
246 desired_logs.clear(); 246 desired_logs.clear();
247 desired_logs.push_back(google_log_id_); 247 desired_logs.push_back(google_log_id_);
248 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 248 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
249 desired_logs.size(), desired_logs, true, &scts); 249 desired_logs.size(), desired_logs, true, &scts);
250 250
251 // One non-Google log, delivered via OCSP. 251 // One non-Google log, delivered via OCSP.
252 desired_logs.clear(); 252 desired_logs.clear();
253 desired_logs.push_back(non_google_log_id_); 253 desired_logs.push_back(non_google_log_id_);
254 FillListWithSCTsOfOrigin( 254 FillListWithSCTsOfOrigin(
255 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, 255 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,
256 desired_logs.size(), desired_logs, true, &scts); 256 desired_logs.size(), desired_logs, true, &scts);
257 257
258 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 258 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
259 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 259 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
260 BoundNetLog())); 260 NetLogWithSource()));
261 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 261 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
262 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 262 policy_enforcer_->DoesConformToCTEVPolicy(
263 scts, BoundNetLog())); 263 chain_.get(), nullptr, scts, NetLogWithSource()));
264 } 264 }
265 265
266 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { 266 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
267 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( 267 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
268 new DummyEVCertsWhitelist(true, false)); 268 new DummyEVCertsWhitelist(true, false));
269 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 269 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
270 ct::SCTList scts; 270 ct::SCTList scts;
271 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, 271 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
272 &scts); 272 &scts);
273 273
274 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 274 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
275 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 275 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
276 BoundNetLog())); 276 NetLogWithSource()));
277 EXPECT_EQ( 277 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
278 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 278 policy_enforcer_->DoesConformToCTEVPolicy(
279 policy_enforcer_->DoesConformToCTEVPolicy( 279 chain_.get(), non_including_whitelist.get(), scts,
280 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); 280 NetLogWithSource()));
281 281
282 // ... but should be OK if whitelisted. 282 // ... but should be OK if whitelisted.
283 scoped_refptr<ct::EVCertsWhitelist> whitelist( 283 scoped_refptr<ct::EVCertsWhitelist> whitelist(
284 new DummyEVCertsWhitelist(true, true)); 284 new DummyEVCertsWhitelist(true, true));
285 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, 285 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
286 policy_enforcer_->DoesConformToCTEVPolicy( 286 policy_enforcer_->DoesConformToCTEVPolicy(
287 chain_.get(), whitelist.get(), scts, BoundNetLog())); 287 chain_.get(), whitelist.get(), scts, NetLogWithSource()));
288 } 288 }
289 289
290 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { 290 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
291 ct::SCTList scts; 291 ct::SCTList scts;
292 292
293 // The results should be the same before and after disqualification, 293 // The results should be the same before and after disqualification,
294 // regardless of the delivery method. 294 // regardless of the delivery method.
295 295
296 // SCT from before disqualification. 296 // SCT from before disqualification.
297 scts.clear(); 297 scts.clear();
298 FillListWithSCTsOfOrigin( 298 FillListWithSCTsOfOrigin(
299 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); 299 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);
300 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 300 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
301 false, &scts); 301 false, &scts);
302 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 302 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
303 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 303 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
304 BoundNetLog())); 304 NetLogWithSource()));
305 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 305 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
306 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 306 policy_enforcer_->DoesConformToCTEVPolicy(
307 scts, BoundNetLog())); 307 chain_.get(), nullptr, scts, NetLogWithSource()));
308 308
309 // SCT from after disqualification. 309 // SCT from after disqualification.
310 scts.clear(); 310 scts.clear();
311 FillListWithSCTsOfOrigin( 311 FillListWithSCTsOfOrigin(
312 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); 312 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);
313 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 313 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
314 true, &scts); 314 true, &scts);
315 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 315 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
316 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 316 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
317 BoundNetLog())); 317 NetLogWithSource()));
318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
319 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 319 policy_enforcer_->DoesConformToCTEVPolicy(
320 scts, BoundNetLog())); 320 chain_.get(), nullptr, scts, NetLogWithSource()));
321 321
322 // Embedded SCT from before disqualification. 322 // Embedded SCT from before disqualification.
323 scts.clear(); 323 scts.clear();
324 FillListWithSCTsOfOrigin( 324 FillListWithSCTsOfOrigin(
325 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); 325 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);
326 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, 326 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false,
327 &scts); 327 &scts);
328 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 328 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
329 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 329 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
330 BoundNetLog())); 330 NetLogWithSource()));
331 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 331 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
332 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 332 policy_enforcer_->DoesConformToCTEVPolicy(
333 scts, BoundNetLog())); 333 chain_.get(), nullptr, scts, NetLogWithSource()));
334 334
335 // Embedded SCT from after disqualification. 335 // Embedded SCT from after disqualification.
336 scts.clear(); 336 scts.clear();
337 FillListWithSCTsOfOrigin( 337 FillListWithSCTsOfOrigin(
338 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); 338 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts);
339 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, 339 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,
340 &scts); 340 &scts);
341 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, 341 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
342 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 342 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
343 BoundNetLog())); 343 NetLogWithSource()));
344 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, 344 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
345 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 345 policy_enforcer_->DoesConformToCTEVPolicy(
346 scts, BoundNetLog())); 346 chain_.get(), nullptr, scts, NetLogWithSource()));
347 } 347 }
348 348
349 TEST_F(CTPolicyEnforcerTest, 349 TEST_F(CTPolicyEnforcerTest,
350 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { 350 ConformsWithDisqualifiedLogBeforeDisqualificationDate) {
351 ct::SCTList scts; 351 ct::SCTList scts;
352 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, 352 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,
353 &scts); 353 &scts);
354 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, 354 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false,
355 &scts); 355 &scts);
356 356
357 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 357 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
360 BoundNetLog())); 360 NetLogWithSource()));
361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
362 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 362 policy_enforcer_->DoesConformToCTEVPolicy(
363 scts, BoundNetLog())); 363 chain_.get(), nullptr, scts, NetLogWithSource()));
364 } 364 }
365 365
366 TEST_F(CTPolicyEnforcerTest, 366 TEST_F(CTPolicyEnforcerTest,
367 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { 367 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) {
368 ct::SCTList scts; 368 ct::SCTList scts;
369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, 369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,
370 &scts); 370 &scts);
371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, 371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,
372 &scts); 372 &scts);
373 373
374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
377 BoundNetLog())); 377 NetLogWithSource()));
378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
379 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 379 policy_enforcer_->DoesConformToCTEVPolicy(
380 scts, BoundNetLog())); 380 chain_.get(), nullptr, scts, NetLogWithSource()));
381 } 381 }
382 382
383 TEST_F(CTPolicyEnforcerTest, 383 TEST_F(CTPolicyEnforcerTest,
384 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { 384 DoesNotConformWithIssuanceDateAfterDisqualificationDate) {
385 ct::SCTList scts; 385 ct::SCTList scts;
386 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, 386 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true,
387 &scts); 387 &scts);
388 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, 388 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4,
389 &scts); 389 &scts);
390 // Make sure all SCTs are after the disqualification date. 390 // Make sure all SCTs are after the disqualification date.
391 for (size_t i = 1; i < scts.size(); ++i) 391 for (size_t i = 1; i < scts.size(); ++i)
392 scts[i]->timestamp = scts[0]->timestamp; 392 scts[i]->timestamp = scts[0]->timestamp;
393 393
394 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 394 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
395 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 395 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
396 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 396 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
397 BoundNetLog())); 397 NetLogWithSource()));
398 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 398 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
399 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 399 policy_enforcer_->DoesConformToCTEVPolicy(
400 scts, BoundNetLog())); 400 chain_.get(), nullptr, scts, NetLogWithSource()));
401 } 401 }
402 402
403 TEST_F(CTPolicyEnforcerTest, 403 TEST_F(CTPolicyEnforcerTest,
404 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { 404 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) {
405 ct::SCTList scts; 405 ct::SCTList scts;
406 std::vector<std::string> desired_logs; 406 std::vector<std::string> desired_logs;
407 407
408 // One Google Log. 408 // One Google Log.
409 desired_logs.clear(); 409 desired_logs.clear();
410 desired_logs.push_back(google_log_id_); 410 desired_logs.push_back(google_log_id_);
(...skipping 11 matching lines...) Expand all
422 desired_logs.clear(); 422 desired_logs.clear();
423 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); 423 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C'));
424 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); 424 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C'));
425 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 425 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
426 desired_logs.size(), desired_logs, true, &scts); 426 desired_logs.size(), desired_logs, true, &scts);
427 427
428 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. 428 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
429 // However, there are only 4 SCTs are from distinct logs. 429 // However, there are only 4 SCTs are from distinct logs.
430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
432 BoundNetLog())); 432 NetLogWithSource()));
433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 434 policy_enforcer_->DoesConformToCTEVPolicy(
435 scts, BoundNetLog())); 435 chain_.get(), nullptr, scts, NetLogWithSource()));
436 } 436 }
437 437
438 TEST_F(CTPolicyEnforcerTest, 438 TEST_F(CTPolicyEnforcerTest,
439 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { 439 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
440 std::unique_ptr<crypto::RSAPrivateKey> private_key( 440 std::unique_ptr<crypto::RSAPrivateKey> private_key(
441 crypto::RSAPrivateKey::Create(1024)); 441 crypto::RSAPrivateKey::Create(1024));
442 ASSERT_TRUE(private_key); 442 ASSERT_TRUE(private_key);
443 443
444 // Test multiple validity periods 444 // Test multiple validity periods
445 const struct TestData { 445 const struct TestData {
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
489 scoped_refptr<X509Certificate> cert( 489 scoped_refptr<X509Certificate> cert(
490 X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size())); 490 X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size()));
491 ASSERT_TRUE(cert); 491 ASSERT_TRUE(cert);
492 492
493 for (size_t i = 0; i < required_scts - 1; ++i) { 493 for (size_t i = 0; i < required_scts - 1; ++i) {
494 ct::SCTList scts; 494 ct::SCTList scts;
495 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, 495 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i,
496 std::vector<std::string>(), false, &scts); 496 std::vector<std::string>(), false, &scts);
497 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 497 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
498 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, 498 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts,
499 BoundNetLog())) 499 NetLogWithSource()))
500 << " for: " << (end - start).InDays() << " and " << required_scts 500 << " for: " << (end - start).InDays() << " and " << required_scts
501 << " scts=" << scts.size() << " i=" << i; 501 << " scts=" << scts.size() << " i=" << i;
502 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 502 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
503 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, 503 policy_enforcer_->DoesConformToCTEVPolicy(
504 scts, BoundNetLog())) 504 cert.get(), nullptr, scts, NetLogWithSource()))
505 << " for: " << (end - start).InDays() << " and " << required_scts 505 << " for: " << (end - start).InDays() << " and " << required_scts
506 << " scts=" << scts.size() << " i=" << i; 506 << " scts=" << scts.size() << " i=" << i;
507 } 507 }
508 ct::SCTList scts; 508 ct::SCTList scts;
509 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 509 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
510 required_scts, std::vector<std::string>(), false, 510 required_scts, std::vector<std::string>(), false,
511 &scts); 511 &scts);
512 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, 512 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
513 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, 513 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts,
514 BoundNetLog())) 514 NetLogWithSource()))
515 << " for: " << (end - start).InDays() << " and " << required_scts 515 << " for: " << (end - start).InDays() << " and " << required_scts
516 << " scts=" << scts.size(); 516 << " scts=" << scts.size();
517 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, 517 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
518 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, 518 policy_enforcer_->DoesConformToCTEVPolicy(
519 scts, BoundNetLog())) 519 cert.get(), nullptr, scts, NetLogWithSource()))
520 << " for: " << (end - start).InDays() << " and " << required_scts 520 << " for: " << (end - start).InDays() << " and " << required_scts
521 << " scts=" << scts.size(); 521 << " scts=" << scts.size();
522 } 522 }
523 } 523 }
524 524
525 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { 525 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
526 scoped_refptr<ct::EVCertsWhitelist> whitelist( 526 scoped_refptr<ct::EVCertsWhitelist> whitelist(
527 new DummyEVCertsWhitelist(true, true)); 527 new DummyEVCertsWhitelist(true, true));
528 528
529 ct::SCTList scts; 529 ct::SCTList scts;
530 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, 530 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
531 &scts); 531 &scts);
532 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, 532 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
533 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, 533 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
534 BoundNetLog())); 534 NetLogWithSource()));
535 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, 535 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
536 policy_enforcer_->DoesConformToCTEVPolicy( 536 policy_enforcer_->DoesConformToCTEVPolicy(
537 chain_.get(), whitelist.get(), scts, BoundNetLog())); 537 chain_.get(), whitelist.get(), scts, NetLogWithSource()));
538 } 538 }
539 539
540 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { 540 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
541 scoped_refptr<ct::EVCertsWhitelist> whitelist( 541 scoped_refptr<ct::EVCertsWhitelist> whitelist(
542 new DummyEVCertsWhitelist(false, true)); 542 new DummyEVCertsWhitelist(false, true));
543 543
544 ct::SCTList scts; 544 ct::SCTList scts;
545 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, 545 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
546 &scts); 546 &scts);
547 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 547 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
548 policy_enforcer_->DoesConformToCTEVPolicy( 548 policy_enforcer_->DoesConformToCTEVPolicy(
549 chain_.get(), whitelist.get(), scts, BoundNetLog())); 549 chain_.get(), whitelist.get(), scts, NetLogWithSource()));
550 } 550 }
551 551
552 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { 552 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
553 ct::SCTList scts; 553 ct::SCTList scts;
554 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, 554 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
555 &scts); 555 &scts);
556 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, 556 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
557 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, 557 policy_enforcer_->DoesConformToCTEVPolicy(
558 scts, BoundNetLog())); 558 chain_.get(), nullptr, scts, NetLogWithSource()));
559 } 559 }
560 560
561 } // namespace 561 } // namespace
562 562
563 } // namespace net 563 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698