Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(184)

Unified Diff: net/cert/ct_policy_enforcer_unittest.cc

Issue 2937563002: Remove the EV Certs Whitelist (Closed)
Patch Set: Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/ct_policy_enforcer_unittest.cc
diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc
index f30411c338b3219c1202771e347f1a0e19c00a20..46942a8fb6772cebb0012aaad213f069812113f8 100644
--- a/net/cert/ct_policy_enforcer_unittest.cc
+++ b/net/cert/ct_policy_enforcer_unittest.cc
@@ -11,7 +11,6 @@
#include "base/version.h"
#include "crypto/rsa_private_key.h"
#include "crypto/sha2.h"
-#include "net/cert/ct_ev_whitelist.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/ct_verify_result.h"
#include "net/cert/x509_certificate.h"
@@ -27,29 +26,6 @@ namespace net {
namespace {
-class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
- public:
- DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
- : canned_is_valid_(is_valid_response),
- canned_contains_response_(contains_hash_response) {}
-
- bool IsValid() const override { return canned_is_valid_; }
-
- bool ContainsCertificateHash(
- const std::string& certificate_hash) const override {
- return canned_contains_response_;
- }
-
- base::Version Version() const override { return base::Version(); }
-
- protected:
- ~DummyEVCertsWhitelist() override {}
-
- private:
- bool canned_is_valid_;
- bool canned_contains_response_;
-};
-
const char kGoogleAviatorLogID[] =
"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4";
@@ -147,14 +123,14 @@ class CTPolicyEnforcerTest : public ::testing::Test {
};
#if defined(OS_ANDROID)
-#define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \
- DISABLED_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle
+#define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \
+ DISABLED_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle
#else
-#define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle
+#define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \
+ DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle
#endif
TEST_F(CTPolicyEnforcerTest,
- MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
+ MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle) {
ct::SCTList scts;
std::vector<std::string> desired_log_ids(2, google_log_id_);
@@ -165,13 +141,10 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
+ DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllNonGoogle) {
ct::SCTList scts;
std::vector<std::string> desired_log_ids(2, non_google_log_id_);
@@ -182,12 +155,9 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyIfSCTBeforeEnforcementDate) {
ct::SCTList scts;
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
// All 5 SCTs will be from non-Google logs.
@@ -197,12 +167,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) {
ct::SCTList scts;
FillListWithSCTsOfOrigin(
ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts);
@@ -210,12 +177,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) {
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
ct::SCTList scts;
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
@@ -224,12 +188,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) {
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledNonEmbeddedSCTs) {
ct::SCTList scts;
std::vector<std::string> desired_logs;
@@ -250,12 +211,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) {
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) {
ct::SCTList scts;
std::vector<std::string> desired_logs;
@@ -275,14 +233,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
- scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
- new DummyEVCertsWhitelist(true, false));
+TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) {
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs.
ct::SCTList scts;
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
@@ -291,20 +244,9 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), non_including_whitelist.get(), scts,
- NetLogWithSource()));
-
- // ... but should be OK if whitelisted.
- scoped_refptr<ct::EVCertsWhitelist> whitelist(
- new DummyEVCertsWhitelist(true, true));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), whitelist.get(), scts, NetLogWithSource()));
}
-TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
+TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) {
ct::SCTList scts;
// The results should be the same before and after disqualification,
@@ -319,9 +261,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
// SCT from after disqualification.
scts.clear();
@@ -332,9 +271,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
// Embedded SCT from before disqualification.
scts.clear();
@@ -345,9 +281,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
// Embedded SCT from after disqualification.
scts.clear();
@@ -358,9 +291,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) {
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
@@ -375,9 +305,6 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
@@ -392,9 +319,6 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
@@ -412,13 +336,10 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
- DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) {
+ DoesNotConformToCTPolicyNotEnoughUniqueEmbeddedLogs) {
ct::SCTList scts;
std::vector<std::string> desired_logs;
@@ -447,9 +368,6 @@ TEST_F(CTPolicyEnforcerTest,
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
}
TEST_F(CTPolicyEnforcerTest,
@@ -526,11 +444,6 @@ TEST_F(CTPolicyEnforcerTest,
NetLogWithSource()))
<< " for: " << (end - start).InDays() << " and " << required_scts
<< " scts=" << scts.size() << " i=" << i;
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- cert.get(), nullptr, scts, NetLogWithSource()))
- << " for: " << (end - start).InDays() << " and " << required_scts
- << " scts=" << scts.size() << " i=" << i;
}
ct::SCTList scts;
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
@@ -541,50 +454,9 @@ TEST_F(CTPolicyEnforcerTest,
NetLogWithSource()))
<< " for: " << (end - start).InDays() << " and " << required_scts
<< " scts=" << scts.size();
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- cert.get(), nullptr, scts, NetLogWithSource()))
- << " for: " << (end - start).InDays() << " and " << required_scts
- << " scts=" << scts.size();
}
}
-TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
- scoped_refptr<ct::EVCertsWhitelist> whitelist(
- new DummyEVCertsWhitelist(true, true));
-
- ct::SCTList scts;
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
- &scts);
- EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts,
- NetLogWithSource()));
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), whitelist.get(), scts, NetLogWithSource()));
-}
-
-TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
- scoped_refptr<ct::EVCertsWhitelist> whitelist(
- new DummyEVCertsWhitelist(false, true));
-
- ct::SCTList scts;
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
- &scts);
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), whitelist.get(), scts, NetLogWithSource()));
-}
-
-TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
- ct::SCTList scts;
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
- &scts);
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS,
- policy_enforcer_->DoesConformToCTEVPolicy(
- chain_.get(), nullptr, scts, NetLogWithSource()));
-}
-
} // namespace
} // namespace net
« no previous file with comments | « net/cert/ct_policy_enforcer.cc ('k') | net/cert/ct_policy_status.h » ('j') | net/ssl/ssl_info.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698