| Index: net/cert/cert_policy_enforcer_unittest.cc
|
| diff --git a/net/cert/cert_policy_enforcer_unittest.cc b/net/cert/cert_policy_enforcer_unittest.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..32be62caef28f5f2cc76a78baa2ab67833c74711
|
| --- /dev/null
|
| +++ b/net/cert/cert_policy_enforcer_unittest.cc
|
| @@ -0,0 +1,190 @@
|
| +// Copyright 2014 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "net/cert/cert_policy_enforcer.h"
|
| +
|
| +#include <string>
|
| +
|
| +#include "base/memory/scoped_ptr.h"
|
| +#include "net/cert/ct_ev_whitelist.h"
|
| +#include "net/cert/ct_verify_result.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/test/cert_test_util.h"
|
| +#include "net/test/ct_test_util.h"
|
| +#include "testing/gtest/include/gtest/gtest.h"
|
| +
|
| +namespace net {
|
| +
|
| +namespace {
|
| +
|
| +class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
|
| + public:
|
| + explicit DummyEVCertsWhitelist(bool always_return)
|
| + : canned_response_(always_return) {}
|
| +
|
| + bool IsValid() const override { return true; }
|
| +
|
| + bool ContainsCertificateHash(
|
| + const std::string& certificate_hash) const override {
|
| + return canned_response_;
|
| + }
|
| +
|
| + protected:
|
| + ~DummyEVCertsWhitelist() override {}
|
| +
|
| + private:
|
| + bool canned_response_;
|
| +};
|
| +
|
| +class CertPolicyEnforcerTest : public ::testing::Test {
|
| + public:
|
| + virtual void SetUp() override {
|
| + policy_enforcer_.reset(new CertPolicyEnforcer(5, true));
|
| +
|
| + std::string der_test_cert(ct::GetDerEncodedX509Cert());
|
| + chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
|
| + der_test_cert.length());
|
| + ASSERT_TRUE(chain_.get());
|
| + whitelist_ = new DummyEVCertsWhitelist(false);
|
| + }
|
| +
|
| + void FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::Origin desired_origin,
|
| + int num_scts,
|
| + ct::CTVerifyResult* result) {
|
| + for (int i = 0; i < num_scts; ++i) {
|
| + scoped_refptr<ct::SignedCertificateTimestamp> sct(
|
| + new ct::SignedCertificateTimestamp());
|
| + sct->origin = desired_origin;
|
| + result->verified_scts.push_back(sct);
|
| + }
|
| + }
|
| +
|
| + protected:
|
| + scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
|
| + scoped_refptr<X509Certificate> chain_;
|
| + scoped_refptr<ct::EVCertsWhitelist> whitelist_;
|
| +};
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
|
| +
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + chain_.get(), whitelist_.get(), result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
|
| + // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
|
| + &result);
|
| +
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + chain_.get(), whitelist_.get(), result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) {
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(
|
| + ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
|
| + result.verified_scts[1]->origin =
|
| + ct::SignedCertificateTimestamp::SCT_EMBEDDED;
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + chain_.get(), whitelist_.get(), result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
|
| + // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
|
| + // However, as there are only two logs, two SCTs will be required - supply one
|
| + // to guarantee the test fails.
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| + &result);
|
| +
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + chain_.get(), whitelist_.get(), result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {
|
| + scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false));
|
| +
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| + &result);
|
| + // Expect true despite the chain not having enough SCTs as the policy
|
| + // is not enforced.
|
| + EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(),
|
| + result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
|
| + scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
|
| + "subject", "issuer", base::Time(), base::Time::Now()));
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
|
| + &result);
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + no_valid_dates_cert.get(), NULL, result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest,
|
| + ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
|
| + // Test multiple validity periods: Over 27 months, Over 15 months (but less
|
| + // than 27 months),
|
| + // Less than 15 months.
|
| + const size_t validity_period[] = {12, 19, 30, 50};
|
| + const size_t needed_scts[] = {2, 3, 4, 5};
|
| +
|
| + for (int i = 0; i < 3; ++i) {
|
| + size_t curr_validity = validity_period[i];
|
| + scoped_refptr<X509Certificate> cert(new X509Certificate(
|
| + "subject", "issuer", base::Time::Now(),
|
| + base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));
|
| + size_t curr_required_scts = needed_scts[i];
|
| + ct::CTVerifyResult result;
|
| + for (size_t j = 0; j < curr_required_scts - 1; ++j) {
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
|
| + 1, &result);
|
| + EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + cert.get(), NULL, result))
|
| + << " for: " << curr_validity << " and " << curr_required_scts
|
| + << " scts=" << result.verified_scts.size() << " j=" << j;
|
| + }
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| + &result);
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + cert.get(), NULL, result));
|
| + }
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest,
|
| + ConformsToPolicyButDoesNotRequireMoreThanNumLogs) {
|
| + scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true));
|
| +
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
|
| + &result);
|
| + // Expect true despite the chain not having enough SCTs according to the
|
| + // policy
|
| + // since we only have 2 logs.
|
| + EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(),
|
| + result));
|
| +}
|
| +
|
| +TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
|
| + scoped_refptr<ct::EVCertsWhitelist> whitelist =
|
| + new DummyEVCertsWhitelist(true);
|
| +
|
| + ct::CTVerifyResult result;
|
| + FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
|
| + &result);
|
| + EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
|
| + chain_.get(), whitelist.get(), result));
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +} // namespace net
|
|
|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master