Index: net/cert/multi_log_ct_verifier_unittest.cc |
diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc |
index c2ae25e307351abbd0ab65adce40619b50780faa..a079c8713c0f0651c66f014b28e7e50c5f735d5c 100644 |
--- a/net/cert/multi_log_ct_verifier_unittest.cc |
+++ b/net/cert/multi_log_ct_verifier_unittest.cc |
@@ -44,6 +44,7 @@ class MultiLogCTVerifierTest : public ::testing::Test { |
verifier_.reset(new MultiLogCTVerifier()); |
verifier_->AddLog(log.Pass()); |
+ verifier_->SetEnforceCTEVPolicy(true); |
std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
chain_ = X509Certificate::CreateFromBytes( |
der_test_cert.data(), |
@@ -71,7 +72,7 @@ class MultiLogCTVerifierTest : public ::testing::Test { |
(result.verified_scts[0]->origin == origin); |
} |
- bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) { |
+ bool CheckForEmbeddedSCTInNetLog(const CapturingNetLog& net_log) { |
CapturingNetLog::CapturedEntryList entries; |
net_log.GetEntries(&entries); |
if (entries.size() != 2) |
@@ -184,6 +185,18 @@ class MultiLogCTVerifierTest : public ::testing::Test { |
ct::SCT_STATUS_OK); |
} |
+ void FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::Origin desired_origin, |
+ int num_scts, |
+ ct::CTVerifyResult* result) { |
+ for (int i = 0; i < num_scts; ++i) { |
+ scoped_refptr<ct::SignedCertificateTimestamp> sct( |
+ new ct::SignedCertificateTimestamp()); |
+ sct->origin = desired_origin; |
+ result->verified_scts.push_back(sct); |
+ } |
+ } |
+ |
protected: |
scoped_ptr<MultiLogCTVerifier> verifier_; |
scoped_refptr<X509Certificate> chain_; |
@@ -294,6 +307,53 @@ TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) { |
GetValueFromHistogram(kSCTCountHistogram, 0)); |
} |
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
+ 2, |
+ &result); |
+ |
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
+} |
+ |
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
+ // We know that the chain_ is valid for 10 years - over 121 months - so |
+ // requires 5 SCTs. |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
+ 5, |
+ &result); |
+ |
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
+} |
+ |
+TEST_F(MultiLogCTVerifierTest, ConformsToCTEVPolicyMixedOriginSCTs) { |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
+ 2, |
+ &result); |
+ result.verified_scts[1]->origin = |
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED; |
+ ASSERT_TRUE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
+} |
+ |
+TEST_F(MultiLogCTVerifierTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
+ // We know that the chain_ is valid for 10 years - over 121 months - so |
+ // 5 SCTs are required. However, as there are only two logs, two SCTs |
+ // will be required - so provide one to guarantee the test fails. |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
+ 1, |
+ &result); |
+ |
+ ASSERT_FALSE(verifier_->DoesConformToCTEVPolicy(chain_, result)); |
+} |
+ |
+ |
} // namespace |
} // namespace net |