| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_policy_enforcer.h" | 5 #include "net/cert/ct_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| 11 #include "base/version.h" | 11 #include "base/version.h" |
| 12 #include "crypto/rsa_private_key.h" | 12 #include "crypto/rsa_private_key.h" |
| 13 #include "crypto/sha2.h" | 13 #include "crypto/sha2.h" |
| 14 #include "net/cert/ct_ev_whitelist.h" | |
| 15 #include "net/cert/ct_policy_status.h" | 14 #include "net/cert/ct_policy_status.h" |
| 16 #include "net/cert/ct_verify_result.h" | 15 #include "net/cert/ct_verify_result.h" |
| 17 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
| 18 #include "net/cert/x509_util.h" | 17 #include "net/cert/x509_util.h" |
| 19 #include "net/log/net_log_with_source.h" | 18 #include "net/log/net_log_with_source.h" |
| 20 #include "net/test/cert_test_util.h" | 19 #include "net/test/cert_test_util.h" |
| 21 #include "net/test/ct_test_util.h" | 20 #include "net/test/ct_test_util.h" |
| 22 #include "net/test/test_data_directory.h" | 21 #include "net/test/test_data_directory.h" |
| 23 #include "testing/gmock/include/gmock/gmock.h" | 22 #include "testing/gmock/include/gmock/gmock.h" |
| 24 #include "testing/gtest/include/gtest/gtest.h" | 23 #include "testing/gtest/include/gtest/gtest.h" |
| 25 | 24 |
| 26 namespace net { | 25 namespace net { |
| 27 | 26 |
| 28 namespace { | 27 namespace { |
| 29 | 28 |
| 30 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { | |
| 31 public: | |
| 32 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) | |
| 33 : canned_is_valid_(is_valid_response), | |
| 34 canned_contains_response_(contains_hash_response) {} | |
| 35 | |
| 36 bool IsValid() const override { return canned_is_valid_; } | |
| 37 | |
| 38 bool ContainsCertificateHash( | |
| 39 const std::string& certificate_hash) const override { | |
| 40 return canned_contains_response_; | |
| 41 } | |
| 42 | |
| 43 base::Version Version() const override { return base::Version(); } | |
| 44 | |
| 45 protected: | |
| 46 ~DummyEVCertsWhitelist() override {} | |
| 47 | |
| 48 private: | |
| 49 bool canned_is_valid_; | |
| 50 bool canned_contains_response_; | |
| 51 }; | |
| 52 | |
| 53 const char kGoogleAviatorLogID[] = | 29 const char kGoogleAviatorLogID[] = |
| 54 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" | 30 "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" |
| 55 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; | 31 "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; |
| 56 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, | 32 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length, |
| 57 "Incorrect log ID length."); | 33 "Incorrect log ID length."); |
| 58 | 34 |
| 59 class CTPolicyEnforcerTest : public ::testing::Test { | 35 class CTPolicyEnforcerTest : public ::testing::Test { |
| 60 public: | 36 public: |
| 61 void SetUp() override { | 37 void SetUp() override { |
| 62 policy_enforcer_.reset(new CTPolicyEnforcer); | 38 policy_enforcer_.reset(new CTPolicyEnforcer); |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 140 } | 116 } |
| 141 | 117 |
| 142 protected: | 118 protected: |
| 143 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; | 119 std::unique_ptr<CTPolicyEnforcer> policy_enforcer_; |
| 144 scoped_refptr<X509Certificate> chain_; | 120 scoped_refptr<X509Certificate> chain_; |
| 145 std::string google_log_id_; | 121 std::string google_log_id_; |
| 146 std::string non_google_log_id_; | 122 std::string non_google_log_id_; |
| 147 }; | 123 }; |
| 148 | 124 |
| 149 #if defined(OS_ANDROID) | 125 #if defined(OS_ANDROID) |
| 150 #define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ | 126 #define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
| 151 DISABLED_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle | 127 DISABLED_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
| 152 #else | 128 #else |
| 153 #define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ | 129 #define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
| 154 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle | 130 DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
| 155 #endif | 131 #endif |
| 156 TEST_F(CTPolicyEnforcerTest, | 132 TEST_F(CTPolicyEnforcerTest, |
| 157 MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { | 133 MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle) { |
| 158 ct::SCTList scts; | 134 ct::SCTList scts; |
| 159 std::vector<std::string> desired_log_ids(2, google_log_id_); | 135 std::vector<std::string> desired_log_ids(2, google_log_id_); |
| 160 | 136 |
| 161 FillListWithSCTsOfOrigin( | 137 FillListWithSCTsOfOrigin( |
| 162 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 138 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 163 desired_log_ids.size(), desired_log_ids, true, &scts); | 139 desired_log_ids.size(), desired_log_ids, true, &scts); |
| 164 | 140 |
| 165 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 141 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 166 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 142 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 167 NetLogWithSource())); | 143 NetLogWithSource())); |
| 168 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 169 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 170 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 171 } | 144 } |
| 172 | 145 |
| 173 TEST_F(CTPolicyEnforcerTest, | 146 TEST_F(CTPolicyEnforcerTest, |
| 174 DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { | 147 DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
| 175 ct::SCTList scts; | 148 ct::SCTList scts; |
| 176 std::vector<std::string> desired_log_ids(2, non_google_log_id_); | 149 std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
| 177 | 150 |
| 178 FillListWithSCTsOfOrigin( | 151 FillListWithSCTsOfOrigin( |
| 179 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 152 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 180 desired_log_ids.size(), desired_log_ids, true, &scts); | 153 desired_log_ids.size(), desired_log_ids, true, &scts); |
| 181 | 154 |
| 182 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 155 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 183 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 156 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 184 NetLogWithSource())); | 157 NetLogWithSource())); |
| 185 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 186 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 187 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 188 } | 158 } |
| 189 | 159 |
| 190 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { | 160 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyIfSCTBeforeEnforcementDate) { |
| 191 ct::SCTList scts; | 161 ct::SCTList scts; |
| 192 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 162 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 193 // All 5 SCTs will be from non-Google logs. | 163 // All 5 SCTs will be from non-Google logs. |
| 194 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 164 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 195 std::vector<std::string>(), false, &scts); | 165 std::vector<std::string>(), false, &scts); |
| 196 | 166 |
| 197 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 167 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 198 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 168 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 199 NetLogWithSource())); | 169 NetLogWithSource())); |
| 200 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 201 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 202 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 203 } | 170 } |
| 204 | 171 |
| 205 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 172 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) { |
| 206 ct::SCTList scts; | 173 ct::SCTList scts; |
| 207 FillListWithSCTsOfOrigin( | 174 FillListWithSCTsOfOrigin( |
| 208 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); | 175 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
| 209 | 176 |
| 210 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 177 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 211 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 178 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 212 NetLogWithSource())); | 179 NetLogWithSource())); |
| 213 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 214 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 215 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 216 } | 180 } |
| 217 | 181 |
| 218 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 182 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) { |
| 219 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 183 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 220 ct::SCTList scts; | 184 ct::SCTList scts; |
| 221 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 185 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 222 &scts); | 186 &scts); |
| 223 | 187 |
| 224 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 188 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 225 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 189 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 226 NetLogWithSource())); | 190 NetLogWithSource())); |
| 227 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 228 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 229 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 230 } | 191 } |
| 231 | 192 |
| 232 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { | 193 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledNonEmbeddedSCTs) { |
| 233 ct::SCTList scts; | 194 ct::SCTList scts; |
| 234 std::vector<std::string> desired_logs; | 195 std::vector<std::string> desired_logs; |
| 235 | 196 |
| 236 // One Google log, delivered via OCSP. | 197 // One Google log, delivered via OCSP. |
| 237 desired_logs.clear(); | 198 desired_logs.clear(); |
| 238 desired_logs.push_back(google_log_id_); | 199 desired_logs.push_back(google_log_id_); |
| 239 FillListWithSCTsOfOrigin( | 200 FillListWithSCTsOfOrigin( |
| 240 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 201 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 241 desired_logs.size(), desired_logs, true, &scts); | 202 desired_logs.size(), desired_logs, true, &scts); |
| 242 | 203 |
| 243 // One non-Google log, delivered via TLS. | 204 // One non-Google log, delivered via TLS. |
| 244 desired_logs.clear(); | 205 desired_logs.clear(); |
| 245 desired_logs.push_back(non_google_log_id_); | 206 desired_logs.push_back(non_google_log_id_); |
| 246 FillListWithSCTsOfOrigin( | 207 FillListWithSCTsOfOrigin( |
| 247 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 208 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 248 desired_logs.size(), desired_logs, true, &scts); | 209 desired_logs.size(), desired_logs, true, &scts); |
| 249 | 210 |
| 250 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 211 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 251 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 212 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 252 NetLogWithSource())); | 213 NetLogWithSource())); |
| 253 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 254 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 255 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 256 } | 214 } |
| 257 | 215 |
| 258 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { | 216 TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) { |
| 259 ct::SCTList scts; | 217 ct::SCTList scts; |
| 260 std::vector<std::string> desired_logs; | 218 std::vector<std::string> desired_logs; |
| 261 | 219 |
| 262 // One Google log, delivered embedded. | 220 // One Google log, delivered embedded. |
| 263 desired_logs.clear(); | 221 desired_logs.clear(); |
| 264 desired_logs.push_back(google_log_id_); | 222 desired_logs.push_back(google_log_id_); |
| 265 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 223 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 266 desired_logs.size(), desired_logs, true, &scts); | 224 desired_logs.size(), desired_logs, true, &scts); |
| 267 | 225 |
| 268 // One non-Google log, delivered via OCSP. | 226 // One non-Google log, delivered via OCSP. |
| 269 desired_logs.clear(); | 227 desired_logs.clear(); |
| 270 desired_logs.push_back(non_google_log_id_); | 228 desired_logs.push_back(non_google_log_id_); |
| 271 FillListWithSCTsOfOrigin( | 229 FillListWithSCTsOfOrigin( |
| 272 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 230 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 273 desired_logs.size(), desired_logs, true, &scts); | 231 desired_logs.size(), desired_logs, true, &scts); |
| 274 | 232 |
| 275 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 233 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 276 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 234 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 277 NetLogWithSource())); | 235 NetLogWithSource())); |
| 278 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 279 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 280 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 281 } | 236 } |
| 282 | 237 |
| 283 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 238 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) { |
| 284 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | |
| 285 new DummyEVCertsWhitelist(true, false)); | |
| 286 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 239 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 287 ct::SCTList scts; | 240 ct::SCTList scts; |
| 288 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 241 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 289 &scts); | 242 &scts); |
| 290 | 243 |
| 291 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 244 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 292 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 245 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 293 NetLogWithSource())); | 246 NetLogWithSource())); |
| 294 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 295 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 296 chain_.get(), non_including_whitelist.get(), scts, | |
| 297 NetLogWithSource())); | |
| 298 | |
| 299 // ... but should be OK if whitelisted. | |
| 300 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 301 new DummyEVCertsWhitelist(true, true)); | |
| 302 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | |
| 303 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 304 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
| 305 } | 247 } |
| 306 | 248 |
| 307 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { | 249 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) { |
| 308 ct::SCTList scts; | 250 ct::SCTList scts; |
| 309 | 251 |
| 310 // The results should be the same before and after disqualification, | 252 // The results should be the same before and after disqualification, |
| 311 // regardless of the delivery method. | 253 // regardless of the delivery method. |
| 312 | 254 |
| 313 // SCT from before disqualification. | 255 // SCT from before disqualification. |
| 314 scts.clear(); | 256 scts.clear(); |
| 315 FillListWithSCTsOfOrigin( | 257 FillListWithSCTsOfOrigin( |
| 316 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 258 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 317 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 259 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 318 false, &scts); | 260 false, &scts); |
| 319 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 261 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 320 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 262 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 321 NetLogWithSource())); | 263 NetLogWithSource())); |
| 322 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 323 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 324 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 325 | 264 |
| 326 // SCT from after disqualification. | 265 // SCT from after disqualification. |
| 327 scts.clear(); | 266 scts.clear(); |
| 328 FillListWithSCTsOfOrigin( | 267 FillListWithSCTsOfOrigin( |
| 329 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 268 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 330 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | 269 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 331 true, &scts); | 270 true, &scts); |
| 332 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 271 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 333 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 272 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 334 NetLogWithSource())); | 273 NetLogWithSource())); |
| 335 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 336 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 337 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 338 | 274 |
| 339 // Embedded SCT from before disqualification. | 275 // Embedded SCT from before disqualification. |
| 340 scts.clear(); | 276 scts.clear(); |
| 341 FillListWithSCTsOfOrigin( | 277 FillListWithSCTsOfOrigin( |
| 342 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 278 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 343 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 279 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
| 344 &scts); | 280 &scts); |
| 345 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 281 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 346 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 282 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 347 NetLogWithSource())); | 283 NetLogWithSource())); |
| 348 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 349 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 350 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 351 | 284 |
| 352 // Embedded SCT from after disqualification. | 285 // Embedded SCT from after disqualification. |
| 353 scts.clear(); | 286 scts.clear(); |
| 354 FillListWithSCTsOfOrigin( | 287 FillListWithSCTsOfOrigin( |
| 355 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); | 288 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 1, &scts); |
| 356 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 289 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 357 &scts); | 290 &scts); |
| 358 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, | 291 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
| 359 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 292 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 360 NetLogWithSource())); | 293 NetLogWithSource())); |
| 361 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, | |
| 362 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 363 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 364 } | 294 } |
| 365 | 295 |
| 366 TEST_F(CTPolicyEnforcerTest, | 296 TEST_F(CTPolicyEnforcerTest, |
| 367 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { | 297 ConformsWithDisqualifiedLogBeforeDisqualificationDate) { |
| 368 ct::SCTList scts; | 298 ct::SCTList scts; |
| 369 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 299 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 370 &scts); | 300 &scts); |
| 371 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, | 301 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, false, |
| 372 &scts); | 302 &scts); |
| 373 | 303 |
| 374 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 304 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 375 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 305 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 376 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 306 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 377 NetLogWithSource())); | 307 NetLogWithSource())); |
| 378 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 379 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 380 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 381 } | 308 } |
| 382 | 309 |
| 383 TEST_F(CTPolicyEnforcerTest, | 310 TEST_F(CTPolicyEnforcerTest, |
| 384 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { | 311 DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) { |
| 385 ct::SCTList scts; | 312 ct::SCTList scts; |
| 386 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 313 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 387 &scts); | 314 &scts); |
| 388 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 315 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 389 &scts); | 316 &scts); |
| 390 | 317 |
| 391 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 318 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 392 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 319 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 393 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 320 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 394 NetLogWithSource())); | 321 NetLogWithSource())); |
| 395 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 396 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 397 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 398 } | 322 } |
| 399 | 323 |
| 400 TEST_F(CTPolicyEnforcerTest, | 324 TEST_F(CTPolicyEnforcerTest, |
| 401 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { | 325 DoesNotConformWithIssuanceDateAfterDisqualificationDate) { |
| 402 ct::SCTList scts; | 326 ct::SCTList scts; |
| 403 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, | 327 AddDisqualifiedLogSCT(ct::SignedCertificateTimestamp::SCT_EMBEDDED, true, |
| 404 &scts); | 328 &scts); |
| 405 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, | 329 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 4, |
| 406 &scts); | 330 &scts); |
| 407 // Make sure all SCTs are after the disqualification date. | 331 // Make sure all SCTs are after the disqualification date. |
| 408 for (size_t i = 1; i < scts.size(); ++i) | 332 for (size_t i = 1; i < scts.size(); ++i) |
| 409 scts[i]->timestamp = scts[0]->timestamp; | 333 scts[i]->timestamp = scts[0]->timestamp; |
| 410 | 334 |
| 411 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 335 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 412 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 336 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 413 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 337 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 414 NetLogWithSource())); | 338 NetLogWithSource())); |
| 415 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 416 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 417 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 418 } | 339 } |
| 419 | 340 |
| 420 TEST_F(CTPolicyEnforcerTest, | 341 TEST_F(CTPolicyEnforcerTest, |
| 421 DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { | 342 DoesNotConformToCTPolicyNotEnoughUniqueEmbeddedLogs) { |
| 422 ct::SCTList scts; | 343 ct::SCTList scts; |
| 423 std::vector<std::string> desired_logs; | 344 std::vector<std::string> desired_logs; |
| 424 | 345 |
| 425 // One Google Log. | 346 // One Google Log. |
| 426 desired_logs.clear(); | 347 desired_logs.clear(); |
| 427 desired_logs.push_back(google_log_id_); | 348 desired_logs.push_back(google_log_id_); |
| 428 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 349 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 429 desired_logs.size(), desired_logs, true, &scts); | 350 desired_logs.size(), desired_logs, true, &scts); |
| 430 | 351 |
| 431 // Two distinct non-Google logs. | 352 // Two distinct non-Google logs. |
| 432 desired_logs.clear(); | 353 desired_logs.clear(); |
| 433 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); | 354 desired_logs.push_back(std::string(crypto::kSHA256Length, 'A')); |
| 434 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); | 355 desired_logs.push_back(std::string(crypto::kSHA256Length, 'B')); |
| 435 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 356 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 436 desired_logs.size(), desired_logs, true, &scts); | 357 desired_logs.size(), desired_logs, true, &scts); |
| 437 | 358 |
| 438 // Two unique SCTs from the same non-Google log. | 359 // Two unique SCTs from the same non-Google log. |
| 439 desired_logs.clear(); | 360 desired_logs.clear(); |
| 440 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 361 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 441 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); | 362 desired_logs.push_back(std::string(crypto::kSHA256Length, 'C')); |
| 442 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 363 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 443 desired_logs.size(), desired_logs, true, &scts); | 364 desired_logs.size(), desired_logs, true, &scts); |
| 444 | 365 |
| 445 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. | 366 // |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 446 // However, there are only 4 SCTs are from distinct logs. | 367 // However, there are only 4 SCTs are from distinct logs. |
| 447 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 368 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 448 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | 369 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
| 449 NetLogWithSource())); | 370 NetLogWithSource())); |
| 450 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 451 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 452 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 453 } | 371 } |
| 454 | 372 |
| 455 TEST_F(CTPolicyEnforcerTest, | 373 TEST_F(CTPolicyEnforcerTest, |
| 456 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 374 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 457 std::unique_ptr<crypto::RSAPrivateKey> private_key( | 375 std::unique_ptr<crypto::RSAPrivateKey> private_key( |
| 458 crypto::RSAPrivateKey::Create(1024)); | 376 crypto::RSAPrivateKey::Create(1024)); |
| 459 ASSERT_TRUE(private_key); | 377 ASSERT_TRUE(private_key); |
| 460 | 378 |
| 461 // Test multiple validity periods | 379 // Test multiple validity periods |
| 462 base::Time time_2015_3_0_25_11_25_0_0 = | 380 base::Time time_2015_3_0_25_11_25_0_0 = |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 519 | 437 |
| 520 for (size_t i = 0; i < required_scts - 1; ++i) { | 438 for (size_t i = 0; i < required_scts - 1; ++i) { |
| 521 ct::SCTList scts; | 439 ct::SCTList scts; |
| 522 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, | 440 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, i, |
| 523 std::vector<std::string>(), false, &scts); | 441 std::vector<std::string>(), false, &scts); |
| 524 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | 442 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
| 525 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 443 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 526 NetLogWithSource())) | 444 NetLogWithSource())) |
| 527 << " for: " << (end - start).InDays() << " and " << required_scts | 445 << " for: " << (end - start).InDays() << " and " << required_scts |
| 528 << " scts=" << scts.size() << " i=" << i; | 446 << " scts=" << scts.size() << " i=" << i; |
| 529 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 530 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 531 cert.get(), nullptr, scts, NetLogWithSource())) | |
| 532 << " for: " << (end - start).InDays() << " and " << required_scts | |
| 533 << " scts=" << scts.size() << " i=" << i; | |
| 534 } | 447 } |
| 535 ct::SCTList scts; | 448 ct::SCTList scts; |
| 536 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 449 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 537 required_scts, std::vector<std::string>(), false, | 450 required_scts, std::vector<std::string>(), false, |
| 538 &scts); | 451 &scts); |
| 539 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, | 452 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
| 540 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, | 453 policy_enforcer_->DoesConformToCertPolicy(cert.get(), scts, |
| 541 NetLogWithSource())) | 454 NetLogWithSource())) |
| 542 << " for: " << (end - start).InDays() << " and " << required_scts | 455 << " for: " << (end - start).InDays() << " and " << required_scts |
| 543 << " scts=" << scts.size(); | 456 << " scts=" << scts.size(); |
| 544 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, | |
| 545 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 546 cert.get(), nullptr, scts, NetLogWithSource())) | |
| 547 << " for: " << (end - start).InDays() << " and " << required_scts | |
| 548 << " scts=" << scts.size(); | |
| 549 } | 457 } |
| 550 } | 458 } |
| 551 | 459 |
| 552 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
| 553 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 554 new DummyEVCertsWhitelist(true, true)); | |
| 555 | |
| 556 ct::SCTList scts; | |
| 557 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
| 558 &scts); | |
| 559 EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, | |
| 560 policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, | |
| 561 NetLogWithSource())); | |
| 562 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, | |
| 563 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 564 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
| 565 } | |
| 566 | |
| 567 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | |
| 568 scoped_refptr<ct::EVCertsWhitelist> whitelist( | |
| 569 new DummyEVCertsWhitelist(false, true)); | |
| 570 | |
| 571 ct::SCTList scts; | |
| 572 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
| 573 &scts); | |
| 574 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 575 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 576 chain_.get(), whitelist.get(), scts, NetLogWithSource())); | |
| 577 } | |
| 578 | |
| 579 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { | |
| 580 ct::SCTList scts; | |
| 581 FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
| 582 &scts); | |
| 583 EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, | |
| 584 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 585 chain_.get(), nullptr, scts, NetLogWithSource())); | |
| 586 } | |
| 587 | |
| 588 } // namespace | 460 } // namespace |
| 589 | 461 |
| 590 } // namespace net | 462 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
