Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1088)

Unified Diff: net/cert/multi_log_ct_verifier_unittest.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Refining policy based on discussion with rsleevi Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/cert/multi_log_ct_verifier_unittest.cc
diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc
index c2ae25e307351abbd0ab65adce40619b50780faa..a079c8713c0f0651c66f014b28e7e50c5f735d5c 100644
--- a/net/cert/multi_log_ct_verifier_unittest.cc
+++ b/net/cert/multi_log_ct_verifier_unittest.cc
@@ -44,6 +44,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
verifier_.reset(new MultiLogCTVerifier());
verifier_->AddLog(log.Pass());
+ verifier_->SetEnforceCTEVPolicy(true);
std::string der_test_cert(ct::GetDerEncodedX509Cert());
chain_ = X509Certificate::CreateFromBytes(
der_test_cert.data(),
@@ -71,7 +72,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
(result.verified_scts[0]->origin == origin);
}
- bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) {
+ bool CheckForEmbeddedSCTInNetLog(const CapturingNetLog& net_log) {
CapturingNetLog::CapturedEntryList entries;
net_log.GetEntries(&entries);
if (entries.size() != 2)
@@ -184,6 +185,18 @@ class MultiLogCTVerifierTest : public ::testing::Test {
ct::SCT_STATUS_OK);
}
+ void FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::Origin desired_origin,
+ int num_scts,
+ ct::CTVerifyResult* result) {
+ for (int i = 0; i < num_scts; ++i) {
+ scoped_refptr<ct::SignedCertificateTimestamp> sct(
+ new ct::SignedCertificateTimestamp());
+ sct->origin = desired_origin;
+ result->verified_scts.push_back(sct);
+ }
+ }
+
protected:
scoped_ptr<MultiLogCTVerifier> verifier_;
scoped_refptr<X509Certificate> chain_;
@@ -294,6 +307,53 @@ TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) {
GetValueFromHistogram(kSCTCountHistogram, 0));
}
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
+ 2,
+ &result);
+
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
+}
+
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
+ // We know that the chain_ is valid for 10 years - over 121 months - so
+ // requires 5 SCTs.
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED,
+ 5,
+ &result);
+
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
+}
+
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyMixedOriginSCTs) {
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
+ 2,
+ &result);
+ result.verified_scts[1]->origin =
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED;
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result));
+}
+
+TEST_F(MultiLogCTVerifierTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
+ // We know that the chain_ is valid for 10 years - over 121 months - so
+ // 5 SCTs are required. However, as there are only two logs, two SCTs
+ // will be required - so provide one to guarantee the test fails.
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED,
+ 1,
+ &result);
+
+ ASSERT_FALSE(verifier_->DoesConformToCTEVPolicy(chain_, result));
+}
+
+
} // namespace
} // namespace net

Powered by Google App Engine
This is Rietveld 408576698