net/cert/cert_policy_enforcer_unittest.cc - Issue 422063004: Certificate Transparency: Require SCTs for EV certificates.

Unified Diff: net/cert/cert_policy_enforcer_unittest.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Added missing include Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_policy_enforcer_unittest.cc

diff --git a/net/cert/cert_policy_enforcer_unittest.cc b/net/cert/cert_policy_enforcer_unittest.cc

new file mode 100644

index 0000000000000000000000000000000000000000..88d264617458e2ed7918c492df029c5cc0815e4e

--- /dev/null

+++ b/net/cert/cert_policy_enforcer_unittest.cc

@@ -0,0 +1,190 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "net/cert/cert_policy_enforcer.h"

+#include <string>

+#include "base/memory/scoped_ptr.h"

+#include "net/cert/ct_ev_whitelist.h"

+#include "net/cert/ct_verify_result.h"

+#include "net/cert/x509_certificate.h"

+#include "net/test/cert_test_util.h"

+#include "net/test/ct_test_util.h"

+#include "testing/gtest/include/gtest/gtest.h"

+namespace net {

+namespace {

+class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {

+ public:

+ explicit DummyEVCertsWhitelist(bool always_return)

+ : canned_response_(always_return) {}

+ bool IsValid() const override { return true; }

+ bool ContainsCertificateHash(

+ const std::string& certificate_hash) const override {

+ return canned_response_;

+ }

+ protected:

+ ~DummyEVCertsWhitelist() override {}

+ private:

+ bool canned_response_;

+};

Ryan Sleevi 2014/11/28 15:27:44 Seems like this could/should be replaced with GMoc

Eran Messeri 2014/12/01 13:59:03 Done with a slight variation: I couldn't use ON_CA

+class CertPolicyEnforcerTest : public ::testing::Test {

+ public:

+ virtual void SetUp() override {

+ policy_enforcer_.reset(new CertPolicyEnforcer(5, true));

+ std::string der_test_cert(ct::GetDerEncodedX509Cert());

+ chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),

+ der_test_cert.length());

Ryan Sleevi 2014/11/28 15:27:44 s/.length()/.size()/

Eran Messeri 2014/12/01 13:59:03 Done.

+ ASSERT_TRUE(chain_.get());

+ whitelist_ = new DummyEVCertsWhitelist(false);

Ryan Sleevi 2014/11/28 15:27:44 Nuke this in favour of consistency among the tests

Eran Messeri 2014/12/01 13:59:03 Done, per your suggestion, particularly: (1) used

+ }

+ void FillResultWithSCTsOfOrigin(

+ ct::SignedCertificateTimestamp::Origin desired_origin,

+ int num_scts,

+ ct::CTVerifyResult* result) {

+ for (int i = 0; i < num_scts; ++i) {

+ scoped_refptr<ct::SignedCertificateTimestamp> sct(

+ new ct::SignedCertificateTimestamp());

+ sct->origin = desired_origin;

+ result->verified_scts.push_back(sct);

+ }

+ protected:

+ scoped_ptr<CertPolicyEnforcer> policy_enforcer_;

+ scoped_refptr<X509Certificate> chain_;

+ scoped_refptr<ct::EVCertsWhitelist> whitelist_;

+};

+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(

+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

+ chain_.get(), whitelist_.get(), result));

+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {

+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,

+ &result);

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

+ chain_.get(), whitelist_.get(), result));

+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyMixedOriginSCTs) {

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(

+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

+ result.verified_scts[1]->origin =

+ ct::SignedCertificateTimestamp::SCT_EMBEDDED;

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

+ chain_.get(), whitelist_.get(), result));

+TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {

+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.

+ // However, as there are only two logs, two SCTs will be required - supply one

+ // to guarantee the test fails.

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

+ &result);

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

+ chain_.get(), whitelist_.get(), result));

+TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {

+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false));

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

+ &result);

+ // Expect true despite the chain not having enough SCTs as the policy

+ // is not enforced.

+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(),

+ result));

+TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {

+ scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(

+ "subject", "issuer", base::Time(), base::Time::Now()));

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,

+ &result);

+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(

+ no_valid_dates_cert.get(), NULL, result));

+TEST_F(CertPolicyEnforcerTest,

+ ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {

+ // Test multiple validity periods: Over 27 months, Over 15 months (but less

+ // than 27 months),

+ // Less than 15 months.

+ const size_t validity_period[] = {12, 19, 30, 50};

+ const size_t needed_scts[] = {2, 3, 4, 5};

+ for (int i = 0; i < 3; ++i) {

+ size_t curr_validity = validity_period[i];

+ scoped_refptr<X509Certificate> cert(new X509Certificate(

+ "subject", "issuer", base::Time::Now(),

+ base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));

+ size_t curr_required_scts = needed_scts[i];

+ ct::CTVerifyResult result;

+ for (size_t j = 0; j < curr_required_scts - 1; ++j) {

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,

+ 1, &result);

+ EXPECT_FALSE(

+ policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), NULL, result))

+ << " for: " << curr_validity << " and " << curr_required_scts

+ << " scts=" << result.verified_scts.size() << " j=" << j;

+ }

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

+ &result);

+ EXPECT_TRUE(

+ policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), NULL, result));

+ }

+TEST_F(CertPolicyEnforcerTest,

+ ConformsToPolicyButDoesNotRequireMoreThanNumLogs) {

+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true));

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,

+ &result);

+ // Expect true despite the chain not having enough SCTs according to the

+ // policy

+ // since we only have 2 logs.

+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), whitelist_.get(),

+ result));

+TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {

+ scoped_refptr<ct::EVCertsWhitelist> whitelist =

+ new DummyEVCertsWhitelist(true);

+ ct::CTVerifyResult result;

+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,

+ &result);

+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(

+ chain_.get(), whitelist.get(), result));

+} // namespace

+} // namespace net

« net/cert/cert_policy_enforcer.cc ('K') | « net/cert/cert_policy_enforcer.cc ('k') | net/http/http_network_session.h » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')