| Index: net/cert/multi_log_ct_verifier_unittest.cc
|
| diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc
|
| index c2ae25e307351abbd0ab65adce40619b50780faa..a079c8713c0f0651c66f014b28e7e50c5f735d5c 100644
|
| --- a/net/cert/multi_log_ct_verifier_unittest.cc
|
| +++ b/net/cert/multi_log_ct_verifier_unittest.cc
|
| @@ -44,6 +44,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
|
|
|
| verifier_.reset(new MultiLogCTVerifier());
|
| verifier_->AddLog(log.Pass());
|
| + verifier_->SetEnforceCTEVPolicy(true);
|
| std::string der_test_cert(ct::GetDerEncodedX509Cert());
|
| chain_ = X509Certificate::CreateFromBytes(
|
| der_test_cert.data(),
|
| @@ -71,7 +72,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
|
| (result.verified_scts[0]->origin == origin);
|
| }
|
|
|
| - bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) {
|
| + bool CheckForEmbeddedSCTInNetLog(const CapturingNetLog& net_log) {
|
| CapturingNetLog::CapturedEntryList entries;
|
| net_log.GetEntries(&entries);
|
| if (entries.size() != 2)
|
| @@ -184,6 +185,18 @@ class MultiLogCTVerifierTest : public ::testing::Test {
|
| ct::SCT_STATUS_OK);
|
| }
|
|
|
| + void FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::Origin desired_origin,
|
| + int num_scts,
|
| + ct::CTVerifyResult* result) {
|
| + for (int i = 0; i < num_scts; ++i) {
|
| + scoped_refptr<ct::SignedCertificateTimestamp> sct(
|
| + new ct::SignedCertificateTimestamp());
|
| + sct->origin = desired_origin;
|
| + result->verified_scts.push_back(sct);
|
| + }
|
| + }
|
| +
|
| protected:
|
| scoped_ptr<MultiLogCTVerifier> verifier_;
|
| scoped_refptr<X509Certificate> chain_;
|
| @@ -294,6 +307,53 @@ TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) {
|
| GetValueFromHistogram(kSCTCountHistogram, 0));
|
| }
|
|
|
| +TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
|
| + 2,
|
| + &result);
|
| +
|
| + ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
|
| +}
|
| +
|
| +TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
|
| + // We know that the chain_ is valid for 10 years - over 121 months - so
|
| + // requires 5 SCTs.
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_EMBEDDED,
|
| + 5,
|
| + &result);
|
| +
|
| + ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
|
| +}
|
| +
|
| +TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyMixedOriginSCTs) {
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
|
| + 2,
|
| + &result);
|
| + result.verified_scts[1]->origin =
|
| + ct::SignedCertificateTimestamp::SCT_EMBEDDED;
|
| + ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
|
| +}
|
| +
|
| +TEST_F(MultiLogCTVerifierTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
|
| + // We know that the chain_ is valid for 10 years - over 121 months - so
|
| + // 5 SCTs are required. However, as there are only two logs, two SCTs
|
| + // will be required - so provide one to guarantee the test fails.
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_EMBEDDED,
|
| + 1,
|
| + &result);
|
| +
|
| + ASSERT_FALSE(verifier_->DoesConformToCTEVPolicy(chain_, result));
|
| +}
|
| +
|
| +
|
| } // namespace
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master