| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/file_util.h" | 9 #include "base/file_util.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| (...skipping 26 matching lines...) Expand all Loading... |
| 37 | 37 |
| 38 class MultiLogCTVerifierTest : public ::testing::Test { | 38 class MultiLogCTVerifierTest : public ::testing::Test { |
| 39 public: | 39 public: |
| 40 virtual void SetUp() OVERRIDE { | 40 virtual void SetUp() OVERRIDE { |
| 41 scoped_ptr<CTLogVerifier> log( | 41 scoped_ptr<CTLogVerifier> log( |
| 42 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription)); | 42 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription)); |
| 43 ASSERT_TRUE(log); | 43 ASSERT_TRUE(log); |
| 44 | 44 |
| 45 verifier_.reset(new MultiLogCTVerifier()); | 45 verifier_.reset(new MultiLogCTVerifier()); |
| 46 verifier_->AddLog(log.Pass()); | 46 verifier_->AddLog(log.Pass()); |
| 47 verifier_->SetEnforceCTEVPolicy(true); |
| 47 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 48 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
| 48 chain_ = X509Certificate::CreateFromBytes( | 49 chain_ = X509Certificate::CreateFromBytes( |
| 49 der_test_cert.data(), | 50 der_test_cert.data(), |
| 50 der_test_cert.length()); | 51 der_test_cert.length()); |
| 51 ASSERT_TRUE(chain_); | 52 ASSERT_TRUE(chain_); |
| 52 | 53 |
| 53 embedded_sct_chain_ = | 54 embedded_sct_chain_ = |
| 54 CreateCertificateChainFromFile(GetTestCertsDirectory(), | 55 CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 55 "ct-test-embedded-cert.pem", | 56 "ct-test-embedded-cert.pem", |
| 56 X509Certificate::FORMAT_AUTO); | 57 X509Certificate::FORMAT_AUTO); |
| 57 ASSERT_TRUE(embedded_sct_chain_); | 58 ASSERT_TRUE(embedded_sct_chain_); |
| 58 } | 59 } |
| 59 | 60 |
| 60 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { | 61 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { |
| 61 return (result.verified_scts.size() == 1U) && | 62 return (result.verified_scts.size() == 1U) && |
| 62 result.invalid_scts.empty() && | 63 result.invalid_scts.empty() && |
| 63 result.unknown_logs_scts.empty() && | 64 result.unknown_logs_scts.empty() && |
| 64 result.verified_scts[0]->log_description == kLogDescription; | 65 result.verified_scts[0]->log_description == kLogDescription; |
| 65 } | 66 } |
| 66 | 67 |
| 67 bool CheckForSCTOrigin( | 68 bool CheckForSCTOrigin( |
| 68 const ct::CTVerifyResult& result, | 69 const ct::CTVerifyResult& result, |
| 69 ct::SignedCertificateTimestamp::Origin origin) { | 70 ct::SignedCertificateTimestamp::Origin origin) { |
| 70 return (result.verified_scts.size() > 0) && | 71 return (result.verified_scts.size() > 0) && |
| 71 (result.verified_scts[0]->origin == origin); | 72 (result.verified_scts[0]->origin == origin); |
| 72 } | 73 } |
| 73 | 74 |
| 74 bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) { | 75 bool CheckForEmbeddedSCTInNetLog(const CapturingNetLog& net_log) { |
| 75 CapturingNetLog::CapturedEntryList entries; | 76 CapturingNetLog::CapturedEntryList entries; |
| 76 net_log.GetEntries(&entries); | 77 net_log.GetEntries(&entries); |
| 77 if (entries.size() != 2) | 78 if (entries.size() != 2) |
| 78 return false; | 79 return false; |
| 79 | 80 |
| 80 const CapturingNetLog::CapturedEntry& received = entries[0]; | 81 const CapturingNetLog::CapturedEntry& received = entries[0]; |
| 81 std::string embedded_scts; | 82 std::string embedded_scts; |
| 82 if (!received.GetStringValue("embedded_scts", &embedded_scts)) | 83 if (!received.GetStringValue("embedded_scts", &embedded_scts)) |
| 83 return false; | 84 return false; |
| 84 if (embedded_scts.empty()) | 85 if (embedded_scts.empty()) |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 177 int NumEmbeddedSCTsInHistogram() { | 178 int NumEmbeddedSCTsInHistogram() { |
| 178 return GetValueFromHistogram("Net.CertificateTransparency.SCTOrigin", | 179 return GetValueFromHistogram("Net.CertificateTransparency.SCTOrigin", |
| 179 ct::SignedCertificateTimestamp::SCT_EMBEDDED); | 180 ct::SignedCertificateTimestamp::SCT_EMBEDDED); |
| 180 } | 181 } |
| 181 | 182 |
| 182 int NumValidSCTsInStatusHistogram() { | 183 int NumValidSCTsInStatusHistogram() { |
| 183 return GetValueFromHistogram("Net.CertificateTransparency.SCTStatus", | 184 return GetValueFromHistogram("Net.CertificateTransparency.SCTStatus", |
| 184 ct::SCT_STATUS_OK); | 185 ct::SCT_STATUS_OK); |
| 185 } | 186 } |
| 186 | 187 |
| 188 void FillResultWithSCTsOfOrigin( |
| 189 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 190 int num_scts, |
| 191 ct::CTVerifyResult* result) { |
| 192 for (int i = 0; i < num_scts; ++i) { |
| 193 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 194 new ct::SignedCertificateTimestamp()); |
| 195 sct->origin = desired_origin; |
| 196 result->verified_scts.push_back(sct); |
| 197 } |
| 198 } |
| 199 |
| 187 protected: | 200 protected: |
| 188 scoped_ptr<MultiLogCTVerifier> verifier_; | 201 scoped_ptr<MultiLogCTVerifier> verifier_; |
| 189 scoped_refptr<X509Certificate> chain_; | 202 scoped_refptr<X509Certificate> chain_; |
| 190 scoped_refptr<X509Certificate> embedded_sct_chain_; | 203 scoped_refptr<X509Certificate> embedded_sct_chain_; |
| 191 }; | 204 }; |
| 192 | 205 |
| 193 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { | 206 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { |
| 194 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); | 207 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); |
| 195 } | 208 } |
| 196 | 209 |
| (...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 287 EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram()); | 300 EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram()); |
| 288 } | 301 } |
| 289 | 302 |
| 290 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) { | 303 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) { |
| 291 int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0); | 304 int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0); |
| 292 EXPECT_FALSE(VerifySinglePrecertificateChain(chain_)); | 305 EXPECT_FALSE(VerifySinglePrecertificateChain(chain_)); |
| 293 ASSERT_EQ(connections_without_scts + 1, | 306 ASSERT_EQ(connections_without_scts + 1, |
| 294 GetValueFromHistogram(kSCTCountHistogram, 0)); | 307 GetValueFromHistogram(kSCTCountHistogram, 0)); |
| 295 } | 308 } |
| 296 | 309 |
| 310 TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 311 ct::CTVerifyResult result; |
| 312 FillResultWithSCTsOfOrigin( |
| 313 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 314 2, |
| 315 &result); |
| 316 |
| 317 ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
| 318 } |
| 319 |
| 320 TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 321 // We know that the chain_ is valid for 10 years - over 121 months - so |
| 322 // requires 5 SCTs. |
| 323 ct::CTVerifyResult result; |
| 324 FillResultWithSCTsOfOrigin( |
| 325 ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 326 5, |
| 327 &result); |
| 328 |
| 329 ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
| 330 } |
| 331 |
| 332 TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyMixedOriginSCTs) { |
| 333 ct::CTVerifyResult result; |
| 334 FillResultWithSCTsOfOrigin( |
| 335 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
| 336 2, |
| 337 &result); |
| 338 result.verified_scts[1]->origin = |
| 339 ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
| 340 ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
| 341 } |
| 342 |
| 343 TEST_F(MultiLogCTVerifierTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 344 // We know that the chain_ is valid for 10 years - over 121 months - so |
| 345 // 5 SCTs are required. However, as there are only two logs, two SCTs |
| 346 // will be required - so provide one to guarantee the test fails. |
| 347 ct::CTVerifyResult result; |
| 348 FillResultWithSCTsOfOrigin( |
| 349 ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 350 1, |
| 351 &result); |
| 352 |
| 353 ASSERT_FALSE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
| 354 } |
| 355 |
| 356 |
| 297 } // namespace | 357 } // namespace |
| 298 | 358 |
| 299 } // namespace net | 359 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master