Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(142)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_policy_enforcer_unittest.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressing review comments. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_policy_enforcer.cc ('K') | « net/cert/cert_policy_enforcer.cc ('k') | net/http/http_network_session.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_policy_enforcer_unittest.cc
diff --git a/net/cert/cert_policy_enforcer_unittest.cc b/net/cert/cert_policy_enforcer_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..04c231914bb257831cdfd2767dff7d779051bd73
--- /dev/null
+++ b/net/cert/cert_policy_enforcer_unittest.cc
@@ -0,0 +1,207 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_policy_enforcer.h"
+
+#include <string>
+
+#include "base/memory/scoped_ptr.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/ct_ev_whitelist.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/ct_test_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+class MockEVCertsWhitelist : public ct::EVCertsWhitelist {
+ public:
+ MockEVCertsWhitelist(bool is_valid_return, bool contains_hash_return) {
+ EXPECT_CALL(*this, IsValid()).WillOnce(testing::Return(is_valid_return));
+ if (is_valid_return)
+ EXPECT_CALL(*this, ContainsCertificateHash(testing::_))
+ .WillOnce(testing::Return(contains_hash_return));
Ryan Sleevi 2014/12/01 15:27:55 Right, I wanted to entirely avoid EXPECT_CALL, it'
+ }
+
+ MOCK_CONST_METHOD0(IsValid, bool());
+ MOCK_CONST_METHOD1(ContainsCertificateHash, bool(const std::string&));
+
+ protected:
+ ~MockEVCertsWhitelist() override {}
+};
+
+class CertPolicyEnforcerTest : public ::testing::Test {
+ public:
+ virtual void SetUp() override {
+ policy_enforcer_.reset(new CertPolicyEnforcer(5, true));
+
+ std::string der_test_cert(ct::GetDerEncodedX509Cert());
+ chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
+ der_test_cert.size());
+ ASSERT_TRUE(chain_.get());
+ }
+
+ void FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::Origin desired_origin,
+ int num_scts,
+ ct::CTVerifyResult* result) {
+ for (int i = 0; i < num_scts; ++i) {
+ scoped_refptr<ct::SignedCertificateTimestamp> sct(
+ new ct::SignedCertificateTimestamp());
+ sct->origin = desired_origin;
+ result->verified_scts.push_back(sct);
+ }
+ }
+
+ protected:
+ scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
+ scoped_refptr<X509Certificate> chain_;
+};
+
+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
+
+ EXPECT_TRUE(
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
+}
+
+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
+ &result);
+
+ EXPECT_TRUE(
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
+}
+
+TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
+ scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist =
+ new MockEVCertsWhitelist(true, false);
+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
+ // However, as there are only two logs, two SCTs will be required - supply one
+ // to guarantee the test fails.
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
+ chain_.get(), non_including_whitelist.get(), result));
Ryan Sleevi 2014/12/01 15:27:55 did clang-format (aka "git cl format") do this? If
Eran Messeri 2014/12/01 17:29:54 I can only assume it did (I ran git-cl format).
+
+ // ... but should be OK if whitelisted.
+ scoped_refptr<ct::EVCertsWhitelist> whitelist =
+ new MockEVCertsWhitelist(true, true);
Ryan Sleevi 2014/12/01 15:27:55 Note dominant style in this file is to use ctor in
Eran Messeri 2014/12/01 17:29:54 Done.
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
+ chain_.get(), whitelist.get(), result));
+}
+
+TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {
+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false));
+
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+ // Expect true despite the chain not having enough SCTs as the policy
+ // is not enforced.
+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
+}
+
+TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
+ scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
+ "subject", "issuer", base::Time(), base::Time::Now()));
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
+ &result);
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
+ no_valid_dates_cert.get(), nullptr, result));
+ // ... but should be OK if whitelisted.
+ scoped_refptr<ct::EVCertsWhitelist> whitelist =
+ new MockEVCertsWhitelist(true, true);
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
+ chain_.get(), whitelist.get(), result));
+}
+
+TEST_F(CertPolicyEnforcerTest,
+ ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
+ // Test multiple validity periods: Over 27 months, Over 15 months (but less
+ // than 27 months),
+ // Less than 15 months.
+ const size_t validity_period[] = {12, 19, 30, 50};
+ const size_t needed_scts[] = {2, 3, 4, 5};
+
+ for (int i = 0; i < 3; ++i) {
+ size_t curr_validity = validity_period[i];
+ scoped_refptr<X509Certificate> cert(new X509Certificate(
+ "subject", "issuer", base::Time::Now(),
+ base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));
+ size_t curr_required_scts = needed_scts[i];
+ ct::CTVerifyResult result;
+ for (size_t j = 0; j < curr_required_scts - 1; ++j) {
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
+ 1, &result);
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(),
+ nullptr, result))
+ << " for: " << curr_validity << " and " << curr_required_scts
+ << " scts=" << result.verified_scts.size() << " j=" << j;
+ }
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+ EXPECT_TRUE(
+ policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result));
+ }
+}
+
+TEST_F(CertPolicyEnforcerTest,
+ ConformsToPolicyButDoesNotRequireMoreThanNumLogs) {
+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true));
+
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2,
+ &result);
+ // Expect true despite the chain not having enough SCTs according to the
+ // policy
+ // since we only have 2 logs.
+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
+}
+
+TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
+ scoped_refptr<ct::EVCertsWhitelist> whitelist =
+ new MockEVCertsWhitelist(true, true);
+
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
+ chain_.get(), whitelist.get(), result));
+}
+
+TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
+ scoped_refptr<ct::EVCertsWhitelist> whitelist =
+ new MockEVCertsWhitelist(false, true);
+
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
+ chain_.get(), whitelist.get(), result));
+}
+
+TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) {
+ ct::CTVerifyResult result;
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
+ &result);
+ EXPECT_FALSE(
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result));
+}
+
+} // namespace
+
+} // namespace net
« net/cert/cert_policy_enforcer.cc ('K') | « net/cert/cert_policy_enforcer.cc ('k') | net/http/http_network_session.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698