OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
140 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 140 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
141 ct::SCTList scts; | 141 ct::SCTList scts; |
142 std::vector<std::string> desired_log_ids(2, google_log_id_); | 142 std::vector<std::string> desired_log_ids(2, google_log_id_); |
143 | 143 |
144 FillListWithSCTsOfOrigin( | 144 FillListWithSCTsOfOrigin( |
145 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 145 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
146 desired_log_ids.size(), desired_log_ids, true, &scts); | 146 desired_log_ids.size(), desired_log_ids, true, &scts); |
147 | 147 |
148 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 148 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
149 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 149 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
150 BoundNetLog())); | 150 NetLogWithSource())); |
151 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 151 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
152 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 152 policy_enforcer_->DoesConformToCTEVPolicy( |
153 scts, BoundNetLog())); | 153 chain_.get(), nullptr, scts, NetLogWithSource())); |
154 } | 154 } |
155 | 155 |
156 TEST_F(CTPolicyEnforcerTest, | 156 TEST_F(CTPolicyEnforcerTest, |
157 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 157 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
158 ct::SCTList scts; | 158 ct::SCTList scts; |
159 std::vector<std::string> desired_log_ids(2, non_google_log_id_); | 159 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
160 | 160 |
161 FillListWithSCTsOfOrigin( | 161 FillListWithSCTsOfOrigin( |
162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
163 desired_log_ids.size(), desired_log_ids, true, &scts); | 163 desired_log_ids.size(), desired_log_ids, true, &scts); |
164 | 164 |
165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
167 BoundNetLog())); | 167 NetLogWithSource())); |
168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
169 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 169 policy_enforcer_->DoesConformToCTEVPolicy( |
170 scts, BoundNetLog())); | 170 chain_.get(), nullptr, scts, NetLogWithSource())); |
171 } | 171 } |
172 | 172 |
173 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 173 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
174 ct::SCTList scts; | 174 ct::SCTList scts; |
175 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 175 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
176 // All 5 SCTs will be from non-Google logs. | 176 // All 5 SCTs will be from non-Google logs. |
177 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 177 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
178 std::vector<std::string>(), false, &scts); | 178 std::vector<std::string>(), false, &scts); |
179 | 179 |
180 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 180 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
181 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 181 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
182 BoundNetLog())); | 182 NetLogWithSource())); |
183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 183 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
184 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 184 policy_enforcer_->DoesConformToCTEVPolicy( |
185 scts, BoundNetLog())); | 185 chain_.get(), nullptr, scts, NetLogWithSource())); |
186 } | 186 } |
187 | 187 |
188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 188 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
189 ct::SCTList scts; | 189 ct::SCTList scts; |
190 FillListWithSCTsOfOrigin( | 190 FillListWithSCTsOfOrigin( |
191 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 191 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
192 | 192 |
193 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 193 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
194 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 194 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
195 BoundNetLog())); | 195 NetLogWithSource())); |
196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 196 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
197 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 197 policy_enforcer_->DoesConformToCTEVPolicy( |
198 scts, BoundNetLog())); | 198 chain_.get(), nullptr, scts, NetLogWithSource())); |
199 } | 199 } |
200 | 200 |
201 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 201 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
202 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 202 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
203 ct::SCTList scts; | 203 ct::SCTList scts; |
204 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 204 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
205 &scts); | 205 &scts); |
206 | 206 |
207 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 207 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
208 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 208 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
209 BoundNetLog())); | 209 NetLogWithSource())); |
210 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 210 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
211 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 211 policy_enforcer_->DoesConformToCTEVPolicy( |
212 scts, BoundNetLog())); | 212 chain_.get(), nullptr, scts, NetLogWithSource())); |
213 } | 213 } |
214 | 214 |
215 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { | 215 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { |
216 ct::SCTList scts; | 216 ct::SCTList scts; |
217 std::vector<std::string> desired_logs; | 217 std::vector<std::string> desired_logs; |
218 | 218 |
219 // One Google log, delivered via OCSP. | 219 // One Google log, delivered via OCSP. |
220 desired_logs.clear(); | 220 desired_logs.clear(); |
221 desired_logs.push_back(google_log_id_); | 221 desired_logs.push_back(google_log_id_); |
222 FillListWithSCTsOfOrigin( | 222 FillListWithSCTsOfOrigin( |
223 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 223 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
224 desired_logs.size(), desired_logs, true, &scts); | 224 desired_logs.size(), desired_logs, true, &scts); |
225 | 225 |
226 // One non-Google log, delivered via TLS. | 226 // One non-Google log, delivered via TLS. |
227 desired_logs.clear(); | 227 desired_logs.clear(); |
228 desired_logs.push_back(non_google_log_id_); | 228 desired_logs.push_back(non_google_log_id_); |
229 FillListWithSCTsOfOrigin( | 229 FillListWithSCTsOfOrigin( |
230 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 230 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
231 desired_logs.size(), desired_logs, true, &scts); | 231 desired_logs.size(), desired_logs, true, &scts); |
232 | 232 |
233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
235 BoundNetLog())); | 235 NetLogWithSource())); |
236 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 236 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
237 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 237 policy_enforcer_->DoesConformToCTEVPolicy( |
238 scts, BoundNetLog())); | 238 chain_.get(), nullptr, scts, NetLogWithSource())); |
239 } | 239 } |
240 | 240 |
241 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { | 241 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { |
242 ct::SCTList scts; | 242 ct::SCTList scts; |
243 std::vector<std::string> desired_logs; | 243 std::vector<std::string> desired_logs; |
244 | 244 |
245 // One Google log, delivered embedded. | 245 // One Google log, delivered embedded. |
246 desired_logs.clear(); | 246 desired_logs.clear(); |
247 desired_logs.push_back(google_log_id_); | 247 desired_logs.push_back(google_log_id_); |
248 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 248 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
249 desired_logs.size(), desired_logs, true, &scts); | 249 desired_logs.size(), desired_logs, true, &scts); |
250 | 250 |
251 // One non-Google log, delivered via OCSP. | 251 // One non-Google log, delivered via OCSP. |
252 desired_logs.clear(); | 252 desired_logs.clear(); |
253 desired_logs.push_back(non_google_log_id_); | 253 desired_logs.push_back(non_google_log_id_); |
254 FillListWithSCTsOfOrigin( | 254 FillListWithSCTsOfOrigin( |
255 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 255 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
256 desired_logs.size(), desired_logs, true, &scts); | 256 desired_logs.size(), desired_logs, true, &scts); |
257 | 257 |
258 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 258 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
259 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 259 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
260 BoundNetLog())); | 260 NetLogWithSource())); |
261 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 261 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
262 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 262 policy_enforcer_->DoesConformToCTEVPolicy( |
263 scts, BoundNetLog())); | 263 chain_.get(), nullptr, scts, NetLogWithSource())); |
264 } | 264 } |
265 | 265 |
266 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 266 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
267 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 267 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
268 new DummyEVCertsWhitelist(true, false)); | 268 new DummyEVCertsWhitelist(true, false)); |
269 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 269 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
270 ct::SCTList scts; | 270 ct::SCTList scts; |
271 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 271 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
272 &scts); | 272 &scts); |
273 | 273 |
274 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 274 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
275 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 275 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
276 BoundNetLog())); | 276 NetLogWithSource())); |
277 EXPECT_EQ( | 277 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
278 ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 278 policy_enforcer_->DoesConformToCTEVPolicy( |
279 policy_enforcer_->DoesConformToCTEVPolicy( | 279 chain_.get(), non_including_whitelist.get(), scts, |
280 chain_.get(), non_including_whitelist.get(), scts, BoundNetLog())); | 280 NetLogWithSource())); |
281 | 281 |
282 // ... but should be OK if whitelisted. | 282 // ... but should be OK if whitelisted. |
283 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 283 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
284 new DummyEVCertsWhitelist(true, true)); | 284 new DummyEVCertsWhitelist(true, true)); |
285 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 285 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
286 policy_enforcer_->DoesConformToCTEVPolicy( | 286 policy_enforcer_->DoesConformToCTEVPolicy( |
287 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 287 chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
288 } | 288 } |
289 | 289 |
290 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { | 290 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
291 ct::SCTList scts; | 291 ct::SCTList scts; |
292 | 292 |
293 // The results should be the same before and after disqualification, | 293 // The results should be the same before and after disqualification, |
294 // regardless of the delivery method. | 294 // regardless of the delivery method. |
295 | 295 |
296 // SCT from before disqualification. | 296 // SCT from before disqualification. |
297 scts.clear(); | 297 scts.clear(); |
298 FillListWithSCTsOfOrigin( | 298 FillListWithSCTsOfOrigin( |
299 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 299 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
300 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 300 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
301 false, &scts); | 301 false, &scts); |
302 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 302 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
303 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 303 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
304 BoundNetLog())); | 304 NetLogWithSource())); |
305 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 305 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
306 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 306 policy_enforcer_->DoesConformToCTEVPolicy( |
307 scts, BoundNetLog())); | 307 chain_.get(), nullptr, scts, NetLogWithSource())); |
308 | 308 |
309 // SCT from after disqualification. | 309 // SCT from after disqualification. |
310 scts.clear(); | 310 scts.clear(); |
311 FillListWithSCTsOfOrigin( | 311 FillListWithSCTsOfOrigin( |
312 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 312 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
313 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 313 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
314 true, &scts); | 314 true, &scts); |
315 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 315 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
316 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 316 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
317 BoundNetLog())); | 317 NetLogWithSource())); |
318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 318 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
319 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 319 policy_enforcer_->DoesConformToCTEVPolicy( |
320 scts, BoundNetLog())); | 320 chain_.get(), nullptr, scts, NetLogWithSource())); |
321 | 321 |
322 // Embedded SCT from before disqualification. | 322 // Embedded SCT from before disqualification. |
323 scts.clear(); | 323 scts.clear(); |
324 FillListWithSCTsOfOrigin( | 324 FillListWithSCTsOfOrigin( |
325 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 325 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
326 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 326 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
327 &scts); | 327 &scts); |
328 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 328 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
329 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 329 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
330 BoundNetLog())); | 330 NetLogWithSource())); |
331 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 331 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
332 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 332 policy_enforcer_->DoesConformToCTEVPolicy( |
333 scts, BoundNetLog())); | 333 chain_.get(), nullptr, scts, NetLogWithSource())); |
334 | 334 |
335 // Embedded SCT from after disqualification. | 335 // Embedded SCT from after disqualification. |
336 scts.clear(); | 336 scts.clear(); |
337 FillListWithSCTsOfOrigin( | 337 FillListWithSCTsOfOrigin( |
338 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 338 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
339 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 339 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
340 &scts); | 340 &scts); |
341 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 341 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
342 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 342 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
343 BoundNetLog())); | 343 NetLogWithSource())); |
344 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | 344 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
345 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 345 policy_enforcer_->DoesConformToCTEVPolicy( |
346 scts, BoundNetLog())); | 346 chain_.get(), nullptr, scts, NetLogWithSource())); |
347 } | 347 } |
348 | 348 |
349 TEST_F(CTPolicyEnforcerTest, | 349 TEST_F(CTPolicyEnforcerTest, |
350 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { | 350 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { |
351 ct::SCTList scts; | 351 ct::SCTList scts; |
352 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 352 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
353 &scts); | 353 &scts); |
354 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 354 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
355 &scts); | 355 &scts); |
356 | 356 |
357 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 357 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
360 BoundNetLog())); | 360 NetLogWithSource())); |
361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
362 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 362 policy_enforcer_->DoesConformToCTEVPolicy( |
363 scts, BoundNetLog())); | 363 chain_.get(), nullptr, scts, NetLogWithSource())); |
364 } | 364 } |
365 | 365 |
366 TEST_F(CTPolicyEnforcerTest, | 366 TEST_F(CTPolicyEnforcerTest, |
367 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { | 367 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { |
368 ct::SCTList scts; | 368 ct::SCTList scts; |
369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
370 &scts); | 370 &scts); |
371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
372 &scts); | 372 &scts); |
373 | 373 |
374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
377 BoundNetLog())); | 377 NetLogWithSource())); |
378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
379 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 379 policy_enforcer_->DoesConformToCTEVPolicy( |
380 scts, BoundNetLog())); | 380 chain_.get(), nullptr, scts, NetLogWithSource())); |
381 } | 381 } |
382 | 382 |
383 TEST_F(CTPolicyEnforcerTest, | 383 TEST_F(CTPolicyEnforcerTest, |
384 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { | 384 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { |
385 ct::SCTList scts; | 385 ct::SCTList scts; |
386 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 386 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
387 &scts); | 387 &scts); |
388 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 388 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
389 &scts); | 389 &scts); |
390 // Make sure all SCTs are after the disqualification date. | 390 // Make sure all SCTs are after the disqualification date. |
391 for (size_t i = 1; i < scts.size(); ++i) | 391 for (size_t i = 1; i < scts.size(); ++i) |
392 scts[i]->timestamp = scts[0]->timestamp; | 392 scts[i]->timestamp = scts[0]->timestamp; |
393 | 393 |
394 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 394 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
395 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 395 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
396 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 396 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
397 BoundNetLog())); | 397 NetLogWithSource())); |
398 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 398 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
399 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 399 policy_enforcer_->DoesConformToCTEVPolicy( |
400 scts, BoundNetLog())); | 400 chain_.get(), nullptr, scts, NetLogWithSource())); |
401 } | 401 } |
402 | 402 |
403 TEST_F(CTPolicyEnforcerTest, | 403 TEST_F(CTPolicyEnforcerTest, |
404 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | 404 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { |
405 ct::SCTList scts; | 405 ct::SCTList scts; |
406 std::vector<std::string> desired_logs; | 406 std::vector<std::string> desired_logs; |
407 | 407 |
408 // One Google Log. | 408 // One Google Log. |
409 desired_logs.clear(); | 409 desired_logs.clear(); |
410 desired_logs.push_back(google_log_id_); | 410 desired_logs.push_back(google_log_id_); |
(...skipping 11 matching lines...) Expand all Loading... |
422 desired_logs.clear(); | 422 desired_logs.clear(); |
423 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 423 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
424 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 424 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
425 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 425 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
426 desired_logs.size(), desired_logs, true, &scts); | 426 desired_logs.size(), desired_logs, true, &scts); |
427 | 427 |
428 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 428 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
429 // However, there are only 4 SCTs are from distinct logs. | 429 // However, there are only 4 SCTs are from distinct logs. |
430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 430 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 431 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
432 BoundNetLog())); | 432 NetLogWithSource())); |
433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 433 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
434 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 434 policy_enforcer_->DoesConformToCTEVPolicy( |
435 scts, BoundNetLog())); | 435 chain_.get(), nullptr, scts, NetLogWithSource())); |
436 } | 436 } |
437 | 437 |
438 TEST_F(CTPolicyEnforcerTest, | 438 TEST_F(CTPolicyEnforcerTest, |
439 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 439 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
440 std::unique_ptr<crypto::RSAPrivateKey> private_key( | 440 std::unique_ptr<crypto::RSAPrivateKey> private_key( |
441 crypto::RSAPrivateKey::Create(1024)); | 441 crypto::RSAPrivateKey::Create(1024)); |
442 ASSERT_TRUE(private_key); | 442 ASSERT_TRUE(private_key); |
443 | 443 |
444 // Test multiple validity periods | 444 // Test multiple validity periods |
445 const struct TestData { | 445 const struct TestData { |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
489 scoped_refptr<X509Certificate> cert( | 489 scoped_refptr<X509Certificate> cert( |
490 X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size())); | 490 X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size())); |
491 ASSERT_TRUE(cert); | 491 ASSERT_TRUE(cert); |
492 | 492 |
493 for (size_t i = 0; i < required_scts - 1; ++i) { | 493 for (size_t i = 0; i < required_scts - 1; ++i) { |
494 ct::SCTList scts; | 494 ct::SCTList scts; |
495 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, | 495 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, |
496 std::vector<std::string>(), false, &scts); | 496 std::vector<std::string>(), false, &scts); |
497 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 497 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
498 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 498 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
499 BoundNetLog())) | 499 NetLogWithSource())) |
500 << " for: " << (end - start).InDays() << " and " << required_scts | 500 << " for: " << (end - start).InDays() << " and " << required_scts |
501 << " scts=" << scts.size() << " i=" << i; | 501 << " scts=" << scts.size() << " i=" << i; |
502 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 502 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
503 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 503 policy_enforcer_->DoesConformToCTEVPolicy( |
504 scts, BoundNetLog())) | 504 cert.get(), nullptr, scts, NetLogWithSource())) |
505 << " for: " << (end - start).InDays() << " and " << required_scts | 505 << " for: " << (end - start).InDays() << " and " << required_scts |
506 << " scts=" << scts.size() << " i=" << i; | 506 << " scts=" << scts.size() << " i=" << i; |
507 } | 507 } |
508 ct::SCTList scts; | 508 ct::SCTList scts; |
509 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 509 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
510 required_scts, std::vector<std::string>(), false, | 510 required_scts, std::vector<std::string>(), false, |
511 &scts); | 511 &scts); |
512 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 512 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
513 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 513 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
514 BoundNetLog())) | 514 NetLogWithSource())) |
515 << " for: " << (end - start).InDays() << " and " << required_scts | 515 << " for: " << (end - start).InDays() << " and " << required_scts |
516 << " scts=" << scts.size(); | 516 << " scts=" << scts.size(); |
517 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | 517 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
518 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, | 518 policy_enforcer_->DoesConformToCTEVPolicy( |
519 scts, BoundNetLog())) | 519 cert.get(), nullptr, scts, NetLogWithSource())) |
520 << " for: " << (end - start).InDays() << " and " << required_scts | 520 << " for: " << (end - start).InDays() << " and " << required_scts |
521 << " scts=" << scts.size(); | 521 << " scts=" << scts.size(); |
522 } | 522 } |
523 } | 523 } |
524 | 524 |
525 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 525 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
526 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 526 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
527 new DummyEVCertsWhitelist(true, true)); | 527 new DummyEVCertsWhitelist(true, true)); |
528 | 528 |
529 ct::SCTList scts; | 529 ct::SCTList scts; |
530 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 530 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
531 &scts); | 531 &scts); |
532 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 532 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
533 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 533 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
534 BoundNetLog())); | 534 NetLogWithSource())); |
535 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | 535 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
536 policy_enforcer_->DoesConformToCTEVPolicy( | 536 policy_enforcer_->DoesConformToCTEVPolicy( |
537 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 537 chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
538 } | 538 } |
539 | 539 |
540 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 540 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
541 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 541 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
542 new DummyEVCertsWhitelist(false, true)); | 542 new DummyEVCertsWhitelist(false, true)); |
543 | 543 |
544 ct::SCTList scts; | 544 ct::SCTList scts; |
545 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 545 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
546 &scts); | 546 &scts); |
547 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 547 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
548 policy_enforcer_->DoesConformToCTEVPolicy( | 548 policy_enforcer_->DoesConformToCTEVPolicy( |
549 chain_.get(), whitelist.get(), scts, BoundNetLog())); | 549 chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
550 } | 550 } |
551 | 551 |
552 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 552 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
553 ct::SCTList scts; | 553 ct::SCTList scts; |
554 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 554 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
555 &scts); | 555 &scts); |
556 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | 556 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
557 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, | 557 policy_enforcer_->DoesConformToCTEVPolicy( |
558 scts, BoundNetLog())); | 558 chain_.get(), nullptr, scts, NetLogWithSource())); |
559 } | 559 } |
560 | 560 |
561 } // namespace | 561 } // namespace |
562 | 562 |
563 } // namespace net | 563 } // namespace net |
OLD | NEW |