OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
11 #include "base/version.h" | 11 #include "base/version.h" |
12 #include "crypto/rsa_private_key.h" | 12 #include "crypto/rsa_private_key.h" |
13 #include "crypto/sha2.h" | 13 #include "crypto/sha2.h" |
14 #include "net/cert/ct_ev_whitelist.h" | |
15 #include "net/cert/ct_policy_status.h" | 14 #include "net/cert/ct_policy_status.h" |
16 #include "net/cert/ct_verify_result.h" | 15 #include "net/cert/ct_verify_result.h" |
17 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
18 #include "net/cert/x509_util.h" | 17 #include "net/cert/x509_util.h" |
19 #include "net/log/net_log_with_source.h" | 18 #include "net/log/net_log_with_source.h" |
20 #include "net/test/cert_test_util.h" | 19 #include "net/test/cert_test_util.h" |
21 #include "net/test/ct_test_util.h" | 20 #include "net/test/ct_test_util.h" |
22 #include "net/test/test_data_directory.h" | 21 #include "net/test/test_data_directory.h" |
23 #include "testing/gmock/include/gmock/gmock.h" | 22 #include "testing/gmock/include/gmock/gmock.h" |
24 #include "testing/gtest/include/gtest/gtest.h" | 23 #include "testing/gtest/include/gtest/gtest.h" |
25 | 24 |
26 namespace net { | 25 namespace net { |
27 | 26 |
28 namespace { | 27 namespace { |
29 | 28 |
30 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { | |
31 public: | |
32 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) | |
33 : canned_is_valid_(is_valid_response), | |
34 canned_contains_response_(contains_hash_response) {} | |
35 | |
36 bool IsValid() const override { return canned_is_valid_; } | |
37 | |
38 bool ContainsCertificateHash( | |
39 const std::string& certificate_hash) const override { | |
40 return canned_contains_response_; | |
41 } | |
42 | |
43 base::Version Version() const override { return base::Version(); } | |
44 | |
45 protected: | |
46 ~DummyEVCertsWhitelist() override {} | |
47 | |
48 private: | |
49 bool canned_is_valid_; | |
50 bool canned_contains_response_; | |
51 }; | |
52 | |
53 const char kGoogleAviatorLogID[] = | 29 const char kGoogleAviatorLogID[] = |
54 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" | 30 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" |
55 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; | 31 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; |
56 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, | 32 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, |
57 "Incorrect log ID length."); | 33 "Incorrect log ID length."); |
58 | 34 |
59 class CTPolicyEnforcerTest : public ::testing::Test { | 35 class CTPolicyEnforcerTest : public ::testing::Test { |
60 public: | 36 public: |
61 void SetUp() override { | 37 void SetUp() override { |
62 policy_enforcer_.reset(new CTPolicyEnforcer); | 38 policy_enforcer_.reset(new CTPolicyEnforcer); |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
140 } | 116 } |
141 | 117 |
142 protected: | 118 protected: |
143 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; | 119 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; |
144 scoped_refptr<X509Certificate> chain_; | 120 scoped_refptr<X509Certificate> chain_; |
145 std::string google_log_id_; | 121 std::string google_log_id_; |
146 std::string non_google_log_id_; | 122 std::string non_google_log_id_; |
147 }; | 123 }; |
148 | 124 |
149 #if defined(OS_ANDROID) | 125 #if defined(OS_ANDROID) |
150 #define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ | 126 #define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
151 DISABLED_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle | 127 DISABLED_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
152 #else | 128 #else |
153 #define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ | 129 #define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
154 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle | 130 DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
155 #endif | 131 #endif |
156 TEST_F(CTPolicyEnforcerTest, | 132 TEST_F(CTPolicyEnforcerTest, |
157 MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 133 MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle) { |
158 ct::SCTList scts; | 134 ct::SCTList scts; |
159 std::vector<std::string> desired_log_ids(2, google_log_id_); | 135 std::vector<std::string> desired_log_ids(2, google_log_id_); |
160 | 136 |
161 FillListWithSCTsOfOrigin( | 137 FillListWithSCTsOfOrigin( |
162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 138 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
163 desired_log_ids.size(), desired_log_ids, true, &scts); | 139 desired_log_ids.size(), desired_log_ids, true, &scts); |
164 | 140 |
165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 141 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 142 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
167 NetLogWithSource())); | 143 NetLogWithSource())); |
168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
169 policy_enforcer_->DoesConformToCTEVPolicy( | |
170 chain_.get(), nullptr, scts, NetLogWithSource())); | |
171 } | 144 } |
172 | 145 |
173 TEST_F(CTPolicyEnforcerTest, | 146 TEST_F(CTPolicyEnforcerTest, |
174 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 147 DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
175 ct::SCTList scts; | 148 ct::SCTList scts; |
176 std::vector<std::string> desired_log_ids(2, non_google_log_id_); | 149 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
177 | 150 |
178 FillListWithSCTsOfOrigin( | 151 FillListWithSCTsOfOrigin( |
179 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 152 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
180 desired_log_ids.size(), desired_log_ids, true, &scts); | 153 desired_log_ids.size(), desired_log_ids, true, &scts); |
181 | 154 |
182 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 155 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
183 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 156 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
184 NetLogWithSource())); | 157 NetLogWithSource())); |
185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
186 policy_enforcer_->DoesConformToCTEVPolicy( | |
187 chain_.get(), nullptr, scts, NetLogWithSource())); | |
188 } | 158 } |
189 | 159 |
190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 160 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyIfSCTBeforeEnforcementDate) { |
191 ct::SCTList scts; | 161 ct::SCTList scts; |
192 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 162 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
193 // All 5 SCTs will be from non-Google logs. | 163 // All 5 SCTs will be from non-Google logs. |
194 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 164 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
195 std::vector<std::string>(), false, &scts); | 165 std::vector<std::string>(), false, &scts); |
196 | 166 |
197 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 167 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
198 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 168 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
199 NetLogWithSource())); | 169 NetLogWithSource())); |
200 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
201 policy_enforcer_->DoesConformToCTEVPolicy( | |
202 chain_.get(), nullptr, scts, NetLogWithSource())); | |
203 } | 170 } |
204 | 171 |
205 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) { |
206 ct::SCTList scts; | 173 ct::SCTList scts; |
207 FillListWithSCTsOfOrigin( | 174 FillListWithSCTsOfOrigin( |
208 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
209 | 176 |
210 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
211 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
212 NetLogWithSource())); | 179 NetLogWithSource())); |
213 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
214 policy_enforcer_->DoesConformToCTEVPolicy( | |
215 chain_.get(), nullptr, scts, NetLogWithSource())); | |
216 } | 180 } |
217 | 181 |
218 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 182 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) { |
219 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 183 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
220 ct::SCTList scts; | 184 ct::SCTList scts; |
221 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 185 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
222 &scts); | 186 &scts); |
223 | 187 |
224 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 188 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
225 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 189 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
226 NetLogWithSource())); | 190 NetLogWithSource())); |
227 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
228 policy_enforcer_->DoesConformToCTEVPolicy( | |
229 chain_.get(), nullptr, scts, NetLogWithSource())); | |
230 } | 191 } |
231 | 192 |
232 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { | 193 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledNonEmbeddedSCTs) { |
233 ct::SCTList scts; | 194 ct::SCTList scts; |
234 std::vector<std::string> desired_logs; | 195 std::vector<std::string> desired_logs; |
235 | 196 |
236 // One Google log, delivered via OCSP. | 197 // One Google log, delivered via OCSP. |
237 desired_logs.clear(); | 198 desired_logs.clear(); |
238 desired_logs.push_back(google_log_id_); | 199 desired_logs.push_back(google_log_id_); |
239 FillListWithSCTsOfOrigin( | 200 FillListWithSCTsOfOrigin( |
240 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 201 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
241 desired_logs.size(), desired_logs, true, &scts); | 202 desired_logs.size(), desired_logs, true, &scts); |
242 | 203 |
243 // One non-Google log, delivered via TLS. | 204 // One non-Google log, delivered via TLS. |
244 desired_logs.clear(); | 205 desired_logs.clear(); |
245 desired_logs.push_back(non_google_log_id_); | 206 desired_logs.push_back(non_google_log_id_); |
246 FillListWithSCTsOfOrigin( | 207 FillListWithSCTsOfOrigin( |
247 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 208 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
248 desired_logs.size(), desired_logs, true, &scts); | 209 desired_logs.size(), desired_logs, true, &scts); |
249 | 210 |
250 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 211 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
251 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 212 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
252 NetLogWithSource())); | 213 NetLogWithSource())); |
253 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
254 policy_enforcer_->DoesConformToCTEVPolicy( | |
255 chain_.get(), nullptr, scts, NetLogWithSource())); | |
256 } | 214 } |
257 | 215 |
258 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { | 216 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) { |
259 ct::SCTList scts; | 217 ct::SCTList scts; |
260 std::vector<std::string> desired_logs; | 218 std::vector<std::string> desired_logs; |
261 | 219 |
262 // One Google log, delivered embedded. | 220 // One Google log, delivered embedded. |
263 desired_logs.clear(); | 221 desired_logs.clear(); |
264 desired_logs.push_back(google_log_id_); | 222 desired_logs.push_back(google_log_id_); |
265 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 223 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
266 desired_logs.size(), desired_logs, true, &scts); | 224 desired_logs.size(), desired_logs, true, &scts); |
267 | 225 |
268 // One non-Google log, delivered via OCSP. | 226 // One non-Google log, delivered via OCSP. |
269 desired_logs.clear(); | 227 desired_logs.clear(); |
270 desired_logs.push_back(non_google_log_id_); | 228 desired_logs.push_back(non_google_log_id_); |
271 FillListWithSCTsOfOrigin( | 229 FillListWithSCTsOfOrigin( |
272 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 230 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
273 desired_logs.size(), desired_logs, true, &scts); | 231 desired_logs.size(), desired_logs, true, &scts); |
274 | 232 |
275 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
276 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
277 NetLogWithSource())); | 235 NetLogWithSource())); |
278 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
279 policy_enforcer_->DoesConformToCTEVPolicy( | |
280 chain_.get(), nullptr, scts, NetLogWithSource())); | |
281 } | 236 } |
282 | 237 |
283 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 238 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) { |
284 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | |
285 new DummyEVCertsWhitelist(true, false)); | |
286 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 239 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
287 ct::SCTList scts; | 240 ct::SCTList scts; |
288 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 241 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
289 &scts); | 242 &scts); |
290 | 243 |
291 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 244 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
292 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 245 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
293 NetLogWithSource())); | 246 NetLogWithSource())); |
294 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
295 policy_enforcer_->DoesConformToCTEVPolicy( | |
296 chain_.get(), non_including_whitelist.get(), scts, | |
297 NetLogWithSource())); | |
298 | |
299 // ... but should be OK if whitelisted. | |
300 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
301 new DummyEVCertsWhitelist(true, true)); | |
302 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | |
303 policy_enforcer_->DoesConformToCTEVPolicy( | |
304 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
305 } | 247 } |
306 | 248 |
307 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { | 249 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) { |
308 ct::SCTList scts; | 250 ct::SCTList scts; |
309 | 251 |
310 // The results should be the same before and after disqualification, | 252 // The results should be the same before and after disqualification, |
311 // regardless of the delivery method. | 253 // regardless of the delivery method. |
312 | 254 |
313 // SCT from before disqualification. | 255 // SCT from before disqualification. |
314 scts.clear(); | 256 scts.clear(); |
315 FillListWithSCTsOfOrigin( | 257 FillListWithSCTsOfOrigin( |
316 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 258 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
317 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 259 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
318 false, &scts); | 260 false, &scts); |
319 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 261 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
320 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 262 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
321 NetLogWithSource())); | 263 NetLogWithSource())); |
322 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
323 policy_enforcer_->DoesConformToCTEVPolicy( | |
324 chain_.get(), nullptr, scts, NetLogWithSource())); | |
325 | 264 |
326 // SCT from after disqualification. | 265 // SCT from after disqualification. |
327 scts.clear(); | 266 scts.clear(); |
328 FillListWithSCTsOfOrigin( | 267 FillListWithSCTsOfOrigin( |
329 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 268 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
330 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 269 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
331 true, &scts); | 270 true, &scts); |
332 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 271 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
333 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 272 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
334 NetLogWithSource())); | 273 NetLogWithSource())); |
335 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
336 policy_enforcer_->DoesConformToCTEVPolicy( | |
337 chain_.get(), nullptr, scts, NetLogWithSource())); | |
338 | 274 |
339 // Embedded SCT from before disqualification. | 275 // Embedded SCT from before disqualification. |
340 scts.clear(); | 276 scts.clear(); |
341 FillListWithSCTsOfOrigin( | 277 FillListWithSCTsOfOrigin( |
342 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 278 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
343 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 279 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
344 &scts); | 280 &scts); |
345 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 281 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
346 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 282 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
347 NetLogWithSource())); | 283 NetLogWithSource())); |
348 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
349 policy_enforcer_->DoesConformToCTEVPolicy( | |
350 chain_.get(), nullptr, scts, NetLogWithSource())); | |
351 | 284 |
352 // Embedded SCT from after disqualification. | 285 // Embedded SCT from after disqualification. |
353 scts.clear(); | 286 scts.clear(); |
354 FillListWithSCTsOfOrigin( | 287 FillListWithSCTsOfOrigin( |
355 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 288 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
356 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 289 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
357 &scts); | 290 &scts); |
358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 291 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 292 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
360 NetLogWithSource())); | 293 NetLogWithSource())); |
361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
362 policy_enforcer_->DoesConformToCTEVPolicy( | |
363 chain_.get(), nullptr, scts, NetLogWithSource())); | |
364 } | 294 } |
365 | 295 |
366 TEST_F(CTPolicyEnforcerTest, | 296 TEST_F(CTPolicyEnforcerTest, |
367 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { | 297 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { |
368 ct::SCTList scts; | 298 ct::SCTList scts; |
369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 299 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
370 &scts); | 300 &scts); |
371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 301 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
372 &scts); | 302 &scts); |
373 | 303 |
374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 304 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 305 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 306 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
377 NetLogWithSource())); | 307 NetLogWithSource())); |
378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
379 policy_enforcer_->DoesConformToCTEVPolicy( | |
380 chain_.get(), nullptr, scts, NetLogWithSource())); | |
381 } | 308 } |
382 | 309 |
383 TEST_F(CTPolicyEnforcerTest, | 310 TEST_F(CTPolicyEnforcerTest, |
384 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { | 311 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { |
385 ct::SCTList scts; | 312 ct::SCTList scts; |
386 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 313 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
387 &scts); | 314 &scts); |
388 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 315 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
389 &scts); | 316 &scts); |
390 | 317 |
391 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 318 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
392 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 319 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
393 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 320 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
394 NetLogWithSource())); | 321 NetLogWithSource())); |
395 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
396 policy_enforcer_->DoesConformToCTEVPolicy( | |
397 chain_.get(), nullptr, scts, NetLogWithSource())); | |
398 } | 322 } |
399 | 323 |
400 TEST_F(CTPolicyEnforcerTest, | 324 TEST_F(CTPolicyEnforcerTest, |
401 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { | 325 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { |
402 ct::SCTList scts; | 326 ct::SCTList scts; |
403 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 327 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
404 &scts); | 328 &scts); |
405 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 329 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
406 &scts); | 330 &scts); |
407 // Make sure all SCTs are after the disqualification date. | 331 // Make sure all SCTs are after the disqualification date. |
408 for (size_t i = 1; i < scts.size(); ++i) | 332 for (size_t i = 1; i < scts.size(); ++i) |
409 scts[i]->timestamp = scts[0]->timestamp; | 333 scts[i]->timestamp = scts[0]->timestamp; |
410 | 334 |
411 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 335 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
412 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 336 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
413 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 337 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
414 NetLogWithSource())); | 338 NetLogWithSource())); |
415 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
416 policy_enforcer_->DoesConformToCTEVPolicy( | |
417 chain_.get(), nullptr, scts, NetLogWithSource())); | |
418 } | 339 } |
419 | 340 |
420 TEST_F(CTPolicyEnforcerTest, | 341 TEST_F(CTPolicyEnforcerTest, |
421 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | 342 DoesNotConformToCTPolicyNotEnoughUniqueEmbeddedLogs) { |
422 ct::SCTList scts; | 343 ct::SCTList scts; |
423 std::vector<std::string> desired_logs; | 344 std::vector<std::string> desired_logs; |
424 | 345 |
425 // One Google Log. | 346 // One Google Log. |
426 desired_logs.clear(); | 347 desired_logs.clear(); |
427 desired_logs.push_back(google_log_id_); | 348 desired_logs.push_back(google_log_id_); |
428 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 349 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
429 desired_logs.size(), desired_logs, true, &scts); | 350 desired_logs.size(), desired_logs, true, &scts); |
430 | 351 |
431 // Two distinct non-Google logs. | 352 // Two distinct non-Google logs. |
432 desired_logs.clear(); | 353 desired_logs.clear(); |
433 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); | 354 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); |
434 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); | 355 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); |
435 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 356 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
436 desired_logs.size(), desired_logs, true, &scts); | 357 desired_logs.size(), desired_logs, true, &scts); |
437 | 358 |
438 // Two unique SCTs from the same non-Google log. | 359 // Two unique SCTs from the same non-Google log. |
439 desired_logs.clear(); | 360 desired_logs.clear(); |
440 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 361 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
441 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 362 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
442 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 363 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
443 desired_logs.size(), desired_logs, true, &scts); | 364 desired_logs.size(), desired_logs, true, &scts); |
444 | 365 |
445 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 366 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
446 // However, there are only 4 SCTs are from distinct logs. | 367 // However, there are only 4 SCTs are from distinct logs. |
447 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 368 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
448 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 369 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
449 NetLogWithSource())); | 370 NetLogWithSource())); |
450 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
451 policy_enforcer_->DoesConformToCTEVPolicy( | |
452 chain_.get(), nullptr, scts, NetLogWithSource())); | |
453 } | 371 } |
454 | 372 |
455 TEST_F(CTPolicyEnforcerTest, | 373 TEST_F(CTPolicyEnforcerTest, |
456 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 374 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
457 std::unique_ptr<crypto::RSAPrivateKey> private_key( | 375 std::unique_ptr<crypto::RSAPrivateKey> private_key( |
458 crypto::RSAPrivateKey::Create(1024)); | 376 crypto::RSAPrivateKey::Create(1024)); |
459 ASSERT_TRUE(private_key); | 377 ASSERT_TRUE(private_key); |
460 | 378 |
461 // Test multiple validity periods | 379 // Test multiple validity periods |
462 base::Time time_2015_3_0_25_11_25_0_0 = | 380 base::Time time_2015_3_0_25_11_25_0_0 = |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
519 | 437 |
520 for (size_t i = 0; i < required_scts - 1; ++i) { | 438 for (size_t i = 0; i < required_scts - 1; ++i) { |
521 ct::SCTList scts; | 439 ct::SCTList scts; |
522 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, | 440 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, |
523 std::vector<std::string>(), false, &scts); | 441 std::vector<std::string>(), false, &scts); |
524 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 442 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
525 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 443 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
526 NetLogWithSource())) | 444 NetLogWithSource())) |
527 << " for: " << (end - start).InDays() << " and " << required_scts | 445 << " for: " << (end - start).InDays() << " and " << required_scts |
528 << " scts=" << scts.size() << " i=" << i; | 446 << " scts=" << scts.size() << " i=" << i; |
529 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
530 policy_enforcer_->DoesConformToCTEVPolicy( | |
531 cert.get(), nullptr, scts, NetLogWithSource())) | |
532 << " for: " << (end - start).InDays() << " and " << required_scts | |
533 << " scts=" << scts.size() << " i=" << i; | |
534 } | 447 } |
535 ct::SCTList scts; | 448 ct::SCTList scts; |
536 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 449 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
537 required_scts, std::vector<std::string>(), false, | 450 required_scts, std::vector<std::string>(), false, |
538 &scts); | 451 &scts); |
539 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 452 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
540 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 453 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
541 NetLogWithSource())) | 454 NetLogWithSource())) |
542 << " for: " << (end - start).InDays() << " and " << required_scts | 455 << " for: " << (end - start).InDays() << " and " << required_scts |
543 << " scts=" << scts.size(); | 456 << " scts=" << scts.size(); |
544 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
545 policy_enforcer_->DoesConformToCTEVPolicy( | |
546 cert.get(), nullptr, scts, NetLogWithSource())) | |
547 << " for: " << (end - start).InDays() << " and " << required_scts | |
548 << " scts=" << scts.size(); | |
549 } | 457 } |
550 } | 458 } |
551 | 459 |
552 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
553 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
554 new DummyEVCertsWhitelist(true, true)); | |
555 | |
556 ct::SCTList scts; | |
557 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
558 &scts); | |
559 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | |
560 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
561 NetLogWithSource())); | |
562 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | |
563 policy_enforcer_->DoesConformToCTEVPolicy( | |
564 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
565 } | |
566 | |
567 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | |
568 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
569 new DummyEVCertsWhitelist(false, true)); | |
570 | |
571 ct::SCTList scts; | |
572 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
573 &scts); | |
574 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
575 policy_enforcer_->DoesConformToCTEVPolicy( | |
576 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
577 } | |
578 | |
579 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | |
580 ct::SCTList scts; | |
581 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
582 &scts); | |
583 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
584 policy_enforcer_->DoesConformToCTEVPolicy( | |
585 chain_.get(), nullptr, scts, NetLogWithSource())); | |
586 } | |
587 | |
588 } // namespace | 460 } // namespace |
589 | 461 |
590 } // namespace net | 462 } // namespace net |
OLD | NEW |