Index: net/cert/ct_policy_enforcer_unittest.cc |
diff --git a/net/cert/ct_policy_enforcer_unittest.cc b/net/cert/ct_policy_enforcer_unittest.cc |
index f30411c338b3219c1202771e347f1a0e19c00a20..46942a8fb6772cebb0012aaad213f069812113f8 100644 |
--- a/net/cert/ct_policy_enforcer_unittest.cc |
+++ b/net/cert/ct_policy_enforcer_unittest.cc |
@@ -11,7 +11,6 @@ |
#include "base/version.h" |
#include "crypto/rsa_private_key.h" |
#include "crypto/sha2.h" |
-#include "net/cert/ct_ev_whitelist.h" |
#include "net/cert/ct_policy_status.h" |
#include "net/cert/ct_verify_result.h" |
#include "net/cert/x509_certificate.h" |
@@ -27,29 +26,6 @@ namespace net { |
namespace { |
-class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { |
- public: |
- DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) |
- : canned_is_valid_(is_valid_response), |
- canned_contains_response_(contains_hash_response) {} |
- |
- bool IsValid() const override { return canned_is_valid_; } |
- |
- bool ContainsCertificateHash( |
- const std::string& certificate_hash) const override { |
- return canned_contains_response_; |
- } |
- |
- base::Version Version() const override { return base::Version(); } |
- |
- protected: |
- ~DummyEVCertsWhitelist() override {} |
- |
- private: |
- bool canned_is_valid_; |
- bool canned_contains_response_; |
-}; |
- |
const char kGoogleAviatorLogID[] = |
"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51" |
"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"; |
@@ -147,14 +123,14 @@ class CTPolicyEnforcerTest : public ::testing::Test { |
}; |
#if defined(OS_ANDROID) |
-#define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ |
- DISABLED_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle |
+#define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
+ DISABLED_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
#else |
-#define MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle \ |
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle |
+#define MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle \ |
+ DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle |
#endif |
TEST_F(CTPolicyEnforcerTest, |
- MAYBE_DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) { |
+ MAYBE_DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllGoogle) { |
ct::SCTList scts; |
std::vector<std::string> desired_log_ids(2, google_log_id_); |
@@ -165,13 +141,10 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
- DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
+ DoesNotConformToCTPolicyNotEnoughDiverseSCTsAllNonGoogle) { |
ct::SCTList scts; |
std::vector<std::string> desired_log_ids(2, non_google_log_id_); |
@@ -182,12 +155,9 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyIfSCTBeforeEnforcementDate) { |
ct::SCTList scts; |
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
// All 5 SCTs will be from non-Google logs. |
@@ -197,12 +167,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) { |
ct::SCTList scts; |
FillListWithSCTsOfOrigin( |
ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &scts); |
@@ -210,12 +177,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) { |
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
ct::SCTList scts; |
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
@@ -224,12 +188,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { |
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledNonEmbeddedSCTs) { |
ct::SCTList scts; |
std::vector<std::string> desired_logs; |
@@ -250,12 +211,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledNonEmbeddedSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { |
+TEST_F(CTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) { |
ct::SCTList scts; |
std::vector<std::string> desired_logs; |
@@ -275,14 +233,9 @@ TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithPooledEmbeddedSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
- scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
- new DummyEVCertsWhitelist(true, false)); |
+TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) { |
// |chain_| is valid for 10 years - over 121 months - so requires 5 SCTs. |
ct::SCTList scts; |
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
@@ -291,20 +244,9 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), non_including_whitelist.get(), scts, |
- NetLogWithSource())); |
- |
- // ... but should be OK if whitelisted. |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(true, true)); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
} |
-TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
+TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) { |
ct::SCTList scts; |
// The results should be the same before and after disqualification, |
@@ -319,9 +261,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
// SCT from after disqualification. |
scts.clear(); |
@@ -332,9 +271,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
// Embedded SCT from before disqualification. |
scts.clear(); |
@@ -345,9 +281,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
// Embedded SCT from after disqualification. |
scts.clear(); |
@@ -358,9 +291,6 @@ TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughFreshSCTs) { |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_DIVERSE_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
@@ -375,9 +305,6 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
@@ -392,9 +319,6 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
@@ -412,13 +336,10 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
- DoesNotConformToCTEVPolicyNotEnoughUniqueEmbeddedLogs) { |
+ DoesNotConformToCTPolicyNotEnoughUniqueEmbeddedLogs) { |
ct::SCTList scts; |
std::vector<std::string> desired_logs; |
@@ -447,9 +368,6 @@ TEST_F(CTPolicyEnforcerTest, |
EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
} |
TEST_F(CTPolicyEnforcerTest, |
@@ -526,11 +444,6 @@ TEST_F(CTPolicyEnforcerTest, |
NetLogWithSource())) |
<< " for: " << (end - start).InDays() << " and " << required_scts |
<< " scts=" << scts.size() << " i=" << i; |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- cert.get(), nullptr, scts, NetLogWithSource())) |
- << " for: " << (end - start).InDays() << " and " << required_scts |
- << " scts=" << scts.size() << " i=" << i; |
} |
ct::SCTList scts; |
FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
@@ -541,50 +454,9 @@ TEST_F(CTPolicyEnforcerTest, |
NetLogWithSource())) |
<< " for: " << (end - start).InDays() << " and " << required_scts |
<< " scts=" << scts.size(); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- cert.get(), nullptr, scts, NetLogWithSource())) |
- << " for: " << (end - start).InDays() << " and " << required_scts |
- << " scts=" << scts.size(); |
} |
} |
-TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(true, true)); |
- |
- ct::SCTList scts; |
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
- &scts); |
- EXPECT_EQ(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCertPolicy(chain_.get(), scts, |
- NetLogWithSource())); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
-} |
- |
-TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
- scoped_refptr<ct::EVCertsWhitelist> whitelist( |
- new DummyEVCertsWhitelist(false, true)); |
- |
- ct::SCTList scts; |
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
- &scts); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), whitelist.get(), scts, NetLogWithSource())); |
-} |
- |
-TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
- ct::SCTList scts; |
- FillListWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
- &scts); |
- EXPECT_EQ(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS, |
- policy_enforcer_->DoesConformToCTEVPolicy( |
- chain_.get(), nullptr, scts, NetLogWithSource())); |
-} |
- |
} // namespace |
} // namespace net |