OLD | NEW |
(Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/cert_policy_enforcer.h" |
| 6 |
| 7 #include <string> |
| 8 |
| 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "net/cert/ct_ev_whitelist.h" |
| 11 #include "net/cert/ct_verify_result.h" |
| 12 #include "net/cert/x509_certificate.h" |
| 13 #include "net/test/cert_test_util.h" |
| 14 #include "net/test/ct_test_util.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" |
| 16 |
| 17 namespace net { |
| 18 |
| 19 namespace { |
| 20 |
| 21 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { |
| 22 public: |
| 23 explicit DummyEVCertsWhitelist(bool always_return) |
| 24 : canned_response_(always_return) {} |
| 25 |
| 26 bool IsValid() const override { return true; } |
| 27 |
| 28 bool ContainsCertificateHash( |
| 29 const std::string& certificate_hash) const override { |
| 30 return canned_response_; |
| 31 } |
| 32 |
| 33 protected: |
| 34 ~DummyEVCertsWhitelist() override {} |
| 35 |
| 36 private: |
| 37 bool canned_response_; |
| 38 }; |
| 39 |
| 40 class CertPolicyEnforcerTest : public ::testing::Test { |
| 41 public: |
| 42 virtual void SetUp() override { |
| 43 policy_enforcer_.reset(new CertPolicyEnforcer(5, true)); |
| 44 |
| 45 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
| 46 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
| 47 der_test_cert.length()); |
| 48 ASSERT_TRUE(chain_.get()); |
| 49 whitelist_ = new DummyEVCertsWhitelist(false); |
| 50 } |
| 51 |
| 52 void FillResultWithSCTsOfOrigin( |
| 53 ct::SignedCertificateTimestamp::Origin desired_origin, |
| 54 int num_scts, |
| 55 ct::CTVerifyResult* result) { |
| 56 for (int i = 0; i < num_scts; ++i) { |
| 57 scoped_refptr<ct::SignedCertificateTimestamp> sct( |
| 58 new ct::SignedCertificateTimestamp()); |
| 59 sct->origin = desired_origin; |
| 60 result->verified_scts.push_back(sct); |
| 61 } |
| 62 } |
| 63 |
| 64 protected: |
| 65 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; |
| 66 scoped_refptr<X509Certificate> chain_; |
| 67 scoped_refptr<ct::EVCertsWhitelist> whitelist_; |
| 68 }; |
| 69 |
| 70 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 71 ct::CTVerifyResult result; |
| 72 FillResultWithSCTsOfOrigin( |
| 73 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 74 |
| 75 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 76 chain_.get(), whitelist_.get(), result)); |
| 77 } |
| 78 |
| 79 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 80 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 81 ct::CTVerifyResult result; |
| 82 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 83 &result); |
| 84 |
| 85 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 86 chain_.get(), whitelist_.get(), result)); |
| 87 } |
| 88 |
| 89 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) { |
| 90 ct::CTVerifyResult result; |
| 91 FillResultWithSCTsOfOrigin( |
| 92 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 93 result.verified_scts[1]->origin = |
| 94 ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
| 95 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 96 chain_.get(), whitelist_.get(), result)); |
| 97 } |
| 98 |
| 99 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 100 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 101 // However, as there are only two logs, two SCTs will be required - supply one |
| 102 // to guarantee the test fails. |
| 103 ct::CTVerifyResult result; |
| 104 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 105 &result); |
| 106 |
| 107 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 108 chain_.get(), whitelist_.get(), result)); |
| 109 } |
| 110 |
| 111 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { |
| 112 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); |
| 113 |
| 114 ct::CTVerifyResult result; |
| 115 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 116 &result); |
| 117 // Expect true despite the chain not having enough SCTs as the policy |
| 118 // is not enforced. |
| 119 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(), |
| 120 result)); |
| 121 } |
| 122 |
| 123 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 124 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 125 "subject", "issuer", base::Time(), base::Time::Now())); |
| 126 ct::CTVerifyResult result; |
| 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 128 &result); |
| 129 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 130 no_valid_dates_cert.get(), NULL, result)); |
| 131 } |
| 132 |
| 133 TEST_F(CertPolicyEnforcerTest, |
| 134 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 135 // Test multiple validity periods: Over 27 months, Over 15 months (but less |
| 136 // than 27 months), |
| 137 // Less than 15 months. |
| 138 const size_t validity_period[] = {12, 19, 30, 50}; |
| 139 const size_t needed_scts[] = {2, 3, 4, 5}; |
| 140 |
| 141 for (int i = 0; i < 3; ++i) { |
| 142 size_t curr_validity = validity_period[i]; |
| 143 scoped_refptr<X509Certificate> cert(new X509Certificate( |
| 144 "subject", "issuer", base::Time::Now(), |
| 145 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); |
| 146 size_t curr_required_scts = needed_scts[i]; |
| 147 ct::CTVerifyResult result; |
| 148 for (size_t j = 0; j < curr_required_scts - 1; ++j) { |
| 149 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 150 1, &result); |
| 151 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 152 cert.get(), NULL, result)) |
| 153 << " for: " << curr_validity << " and " << curr_required_scts |
| 154 << " scts=" << result.verified_scts.size() << " j=" << j; |
| 155 } |
| 156 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 157 &result); |
| 158 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 159 cert.get(), NULL, result)); |
| 160 } |
| 161 } |
| 162 |
| 163 TEST_F(CertPolicyEnforcerTest, |
| 164 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { |
| 165 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); |
| 166 |
| 167 ct::CTVerifyResult result; |
| 168 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 169 &result); |
| 170 // Expect true despite the chain not having enough SCTs according to the |
| 171 // policy |
| 172 // since we only have 2 logs. |
| 173 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(), |
| 174 result)); |
| 175 } |
| 176 |
| 177 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 178 scoped_refptr<ct::EVCertsWhitelist> whitelist = |
| 179 new DummyEVCertsWhitelist(true); |
| 180 |
| 181 ct::CTVerifyResult result; |
| 182 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 183 &result); |
| 184 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 185 chain_.get(), whitelist.get(), result)); |
| 186 } |
| 187 |
| 188 } // namespace |
| 189 |
| 190 } // namespace net |
OLD | NEW |