net/cert/cert_policy_enforcer_unittest.cc - Issue 422063004: Certificate Transparency: Require SCTs for EV certificates.

Side by Side Diff: net/cert/cert_policy_enforcer_unittest.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: datatype issues addressed. Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/cert/cert_policy_enforcer.h"

	6

	7 #include <string>

	8

	9 #include "base/memory/scoped_ptr.h"

	10 #include "net/cert/ct_verify_result.h"

	11 #include "net/cert/x509_certificate.h"

	12 #include "net/test/cert_test_util.h"

	13 #include "net/test/ct_test_util.h"

	14 #include "testing/gtest/include/gtest/gtest.h"

	15

	16 namespace net {

	17

	18 namespace {

	19

	20 class CertPolicyEnforcerTest : public ::testing::Test {

	21 public:

	22 virtual void SetUp() override {

	23 policy_enforcer_.reset(new CertPolicyEnforcer(3));

	24 CertPolicyEnforcer::SetEnforceCTEVPolicy(true);
	Ryan Sleevi 2014/10/22 19:48:36 This test has global effect that isn't reset. (As This test has global effect that isn't reset. (As an artifact that our tests run a single test per executable run, you're being saved, but that's generally a test smell) Eran Messeri 2014/10/24 12:12:36 Good point - now that it's not a global state, thi Show quoted text On 2014/10/22 19:48:36, Ryan Sleevi wrote: > This test has global effect that isn't reset. > > (As an artifact that our tests run a single test per executable run, you're > being saved, but that's generally a test smell) Good point - now that it's not a global state, this line is gone.
	25

	26 std::string der_test_cert(ct::GetDerEncodedX509Cert());

	27 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),

	28 der_test_cert.length());

	29 ASSERT_TRUE(chain_.get());

	30 }

	31

	32 void FillResultWithSCTsOfOrigin(

	33 ct::SignedCertificateTimestamp::Origin desired_origin,

	34 int num_scts,

	35 ct::CTVerifyResult* result) {

	36 for (int i = 0; i < num_scts; ++i) {

	37 scoped_refptr<ct::SignedCertificateTimestamp> sct(

	38 new ct::SignedCertificateTimestamp());

	39 sct->origin = desired_origin;

	40 result->verified_scts.push_back(sct);

	41 }

	42 }

	43

	44 protected:

	45 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;

	46 scoped_refptr<X509Certificate> chain_;

	47 };

	48

	49 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {

	50 ct::CTVerifyResult result;

	51 FillResultWithSCTsOfOrigin(

	52 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

	53

	54 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result));

	55 }

	56

	57 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {

	58 // We know that the chain_ is valid for 10 years - over 121 months - so
	Ryan Sleevi 2014/10/22 19:48:36 Don't include pronouns in comments - https://group Don't include pronouns in comments - https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/NH-S6KCkr2M Eran Messeri 2014/10/24 12:12:35 Done. Show quoted text On 2014/10/22 19:48:36, Ryan Sleevi wrote: > Don't include pronouns in comments - > https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/NH-S6KCkr2M Done.
	59 // requires 5 SCTs.

	60 ct::CTVerifyResult result;

	61 FillResultWithSCTsOfOrigin(

	62 ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, &result);

	63

	64 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result));

	65 }

	66

	67 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) {

	68 ct::CTVerifyResult result;

	69 FillResultWithSCTsOfOrigin(

	70 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

	71 result.verified_scts[1]->origin =

	72 ct::SignedCertificateTimestamp::SCT_EMBEDDED;

	73 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result));

	74 }

	75

	76 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {

	77 // We know that the chain_ is valid for 10 years - over 121 months - so

	78 // 5 SCTs are required. However, as there are only two logs, two SCTs

	79 // will be required - so provide one to guarantee the test fails.

	80 ct::CTVerifyResult result;

	81 FillResultWithSCTsOfOrigin(

	82 ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, &result);

	83

	84 ASSERT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result));

	85 }

	86
	Ryan Sleevi 2014/10/22 19:48:35 Seems like there's a lot of stuff in the enforcer Seems like there's a lot of stuff in the enforcer that remains untested, such as the 4/3/2 SCT split, invalid dates, etc. Please consider adding a test for every branch in the enforcer. Eran Messeri 2014/10/24 12:12:35 Good point, added tests for all branches. Show quoted text On 2014/10/22 19:48:35, Ryan Sleevi wrote: > Seems like there's a lot of stuff in the enforcer that remains untested, such as > the 4/3/2 SCT split, invalid dates, etc. Please consider adding a test for every > branch in the enforcer. Good point, added tests for all branches.
	87 } // namespace

	88 } // namespace net

OLD	NEW

« net/cert/cert_policy_enforcer.cc ('K') | « net/cert/cert_policy_enforcer.cc ('k') | net/cert/ct_verifier.h » ('j') | net/cert/ct_verifier.h » ('J')