OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <string> | |
8 | |
9 #include "base/memory/scoped_ptr.h" | |
10 #include "net/cert/ct_ev_whitelist.h" | |
11 #include "net/cert/ct_verify_result.h" | |
12 #include "net/cert/x509_certificate.h" | |
13 #include "net/test/cert_test_util.h" | |
14 #include "net/test/ct_test_util.h" | |
15 #include "testing/gtest/include/gtest/gtest.h" | |
16 | |
17 namespace net { | |
18 | |
19 namespace { | |
20 | |
21 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { | |
22 public: | |
23 explicit DummyEVCertsWhitelist(bool always_return) | |
24 : canned_response_(always_return) {} | |
25 | |
26 bool IsValid() const override { return true; } | |
27 | |
28 bool ContainsCertificateHash( | |
29 const std::string& certificate_hash) const override { | |
30 return canned_response_; | |
31 } | |
32 | |
33 protected: | |
34 ~DummyEVCertsWhitelist() override {} | |
35 | |
36 private: | |
37 bool canned_response_; | |
38 }; | |
Ryan Sleevi
2014/11/28 15:27:44
Seems like this could/should be replaced with GMoc
Eran Messeri
2014/12/01 13:59:03
Done with a slight variation: I couldn't use ON_CA
| |
39 | |
40 class CertPolicyEnforcerTest : public ::testing::Test { | |
41 public: | |
42 virtual void SetUp() override { | |
43 policy_enforcer_.reset(new CertPolicyEnforcer(5, true)); | |
44 | |
45 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
46 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | |
47 der_test_cert.length()); | |
Ryan Sleevi
2014/11/28 15:27:44
s/.length()/.size()/
Eran Messeri
2014/12/01 13:59:03
Done.
| |
48 ASSERT_TRUE(chain_.get()); | |
49 whitelist_ = new DummyEVCertsWhitelist(false); | |
Ryan Sleevi
2014/11/28 15:27:44
Nuke this in favour of consistency among the tests
Eran Messeri
2014/12/01 13:59:03
Done, per your suggestion, particularly:
(1) used
| |
50 } | |
51 | |
52 void FillResultWithSCTsOfOrigin( | |
53 ct::SignedCertificateTimestamp::Origin desired_origin, | |
54 int num_scts, | |
55 ct::CTVerifyResult* result) { | |
56 for (int i = 0; i < num_scts; ++i) { | |
57 scoped_refptr<ct::SignedCertificateTimestamp> sct( | |
58 new ct::SignedCertificateTimestamp()); | |
59 sct->origin = desired_origin; | |
60 result->verified_scts.push_back(sct); | |
61 } | |
62 } | |
63 | |
64 protected: | |
65 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | |
66 scoped_refptr<X509Certificate> chain_; | |
67 scoped_refptr<ct::EVCertsWhitelist> whitelist_; | |
68 }; | |
69 | |
70 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | |
71 ct::CTVerifyResult result; | |
72 FillResultWithSCTsOfOrigin( | |
73 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
74 | |
75 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
76 chain_.get(), whitelist_.get(), result)); | |
77 } | |
78 | |
79 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | |
80 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
81 ct::CTVerifyResult result; | |
82 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
83 &result); | |
84 | |
85 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
86 chain_.get(), whitelist_.get(), result)); | |
87 } | |
88 | |
89 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) { | |
90 ct::CTVerifyResult result; | |
91 FillResultWithSCTsOfOrigin( | |
92 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
93 result.verified_scts[1]->origin = | |
94 ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
95 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
96 chain_.get(), whitelist_.get(), result)); | |
97 } | |
98 | |
99 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | |
100 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
101 // However, as there are only two logs, two SCTs will be required - supply one | |
102 // to guarantee the test fails. | |
103 ct::CTVerifyResult result; | |
104 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
105 &result); | |
106 | |
107 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
108 chain_.get(), whitelist_.get(), result)); | |
109 } | |
110 | |
111 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { | |
112 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); | |
113 | |
114 ct::CTVerifyResult result; | |
115 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
116 &result); | |
117 // Expect true despite the chain not having enough SCTs as the policy | |
118 // is not enforced. | |
119 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(), | |
120 result)); | |
121 } | |
122 | |
123 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | |
124 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | |
125 "subject", "issuer", base::Time(), base::Time::Now())); | |
126 ct::CTVerifyResult result; | |
127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
128 &result); | |
129 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
130 no_valid_dates_cert.get(), NULL, result)); | |
131 } | |
132 | |
133 TEST_F(CertPolicyEnforcerTest, | |
134 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | |
135 // Test multiple validity periods: Over 27 months, Over 15 months (but less | |
136 // than 27 months), | |
137 // Less than 15 months. | |
138 const size_t validity_period[] = {12, 19, 30, 50}; | |
139 const size_t needed_scts[] = {2, 3, 4, 5}; | |
140 | |
141 for (int i = 0; i < 3; ++i) { | |
142 size_t curr_validity = validity_period[i]; | |
143 scoped_refptr<X509Certificate> cert(new X509Certificate( | |
144 "subject", "issuer", base::Time::Now(), | |
145 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); | |
146 size_t curr_required_scts = needed_scts[i]; | |
147 ct::CTVerifyResult result; | |
148 for (size_t j = 0; j < curr_required_scts - 1; ++j) { | |
149 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
150 1, &result); | |
151 EXPECT_FALSE( | |
152 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), NULL, result)) | |
153 << " for: " << curr_validity << " and " << curr_required_scts | |
154 << " scts=" << result.verified_scts.size() << " j=" << j; | |
155 } | |
156 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
157 &result); | |
158 EXPECT_TRUE( | |
159 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), NULL, result)); | |
160 } | |
161 } | |
162 | |
163 TEST_F(CertPolicyEnforcerTest, | |
164 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { | |
165 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); | |
166 | |
167 ct::CTVerifyResult result; | |
168 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
169 &result); | |
170 // Expect true despite the chain not having enough SCTs according to the | |
171 // policy | |
172 // since we only have 2 logs. | |
173 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(), | |
174 result)); | |
175 } | |
176 | |
177 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
178 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
179 new DummyEVCertsWhitelist(true); | |
180 | |
181 ct::CTVerifyResult result; | |
182 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
183 &result); | |
184 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
185 chain_.get(), whitelist.get(), result)); | |
186 } | |
187 | |
188 } // namespace | |
189 | |
190 } // namespace net | |
OLD | NEW |