OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <string> | |
8 | |
9 #include "base/memory/scoped_ptr.h" | |
10 #include "net/cert/ct_verify_result.h" | |
11 #include "net/cert/x509_certificate.h" | |
12 #include "net/test/cert_test_util.h" | |
13 #include "net/test/ct_test_util.h" | |
14 #include "testing/gtest/include/gtest/gtest.h" | |
15 | |
16 namespace net { | |
17 | |
18 namespace { | |
19 | |
20 class CertPolicyEnforcerTest : public ::testing::Test { | |
21 public: | |
22 virtual void SetUp() override { | |
23 policy_enforcer_.reset(new CertPolicyEnforcer(3)); | |
24 CertPolicyEnforcer::SetEnforceCTEVPolicy(true); | |
Ryan Sleevi
2014/10/22 19:48:36
This test has global effect that isn't reset.
(As
Eran Messeri
2014/10/24 12:12:36
Good point - now that it's not a global state, thi
| |
25 | |
26 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
27 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | |
28 der_test_cert.length()); | |
29 ASSERT_TRUE(chain_.get()); | |
30 } | |
31 | |
32 void FillResultWithSCTsOfOrigin( | |
33 ct::SignedCertificateTimestamp::Origin desired_origin, | |
34 int num_scts, | |
35 ct::CTVerifyResult* result) { | |
36 for (int i = 0; i < num_scts; ++i) { | |
37 scoped_refptr<ct::SignedCertificateTimestamp> sct( | |
38 new ct::SignedCertificateTimestamp()); | |
39 sct->origin = desired_origin; | |
40 result->verified_scts.push_back(sct); | |
41 } | |
42 } | |
43 | |
44 protected: | |
45 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | |
46 scoped_refptr<X509Certificate> chain_; | |
47 }; | |
48 | |
49 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | |
50 ct::CTVerifyResult result; | |
51 FillResultWithSCTsOfOrigin( | |
52 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
53 | |
54 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result)); | |
55 } | |
56 | |
57 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | |
58 // We know that the chain_ is valid for 10 years - over 121 months - so | |
Ryan Sleevi
2014/10/22 19:48:36
Don't include pronouns in comments - https://group
Eran Messeri
2014/10/24 12:12:35
Done.
| |
59 // requires 5 SCTs. | |
60 ct::CTVerifyResult result; | |
61 FillResultWithSCTsOfOrigin( | |
62 ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, &result); | |
63 | |
64 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result)); | |
65 } | |
66 | |
67 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) { | |
68 ct::CTVerifyResult result; | |
69 FillResultWithSCTsOfOrigin( | |
70 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
71 result.verified_scts[1]->origin = | |
72 ct::SignedCertificateTimestamp::SCT_EMBEDDED; | |
73 ASSERT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result)); | |
74 } | |
75 | |
76 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | |
77 // We know that the chain_ is valid for 10 years - over 121 months - so | |
78 // 5 SCTs are required. However, as there are only two logs, two SCTs | |
79 // will be required - so provide one to guarantee the test fails. | |
80 ct::CTVerifyResult result; | |
81 FillResultWithSCTsOfOrigin( | |
82 ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, &result); | |
83 | |
84 ASSERT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), result)); | |
85 } | |
86 | |
Ryan Sleevi
2014/10/22 19:48:35
Seems like there's a lot of stuff in the enforcer
Eran Messeri
2014/10/24 12:12:35
Good point, added tests for all branches.
| |
87 } // namespace | |
88 } // namespace net | |
OLD | NEW |