Index: net/cert/cert_policy_enforcer_unittest.cc |
diff --git a/net/cert/cert_policy_enforcer_unittest.cc b/net/cert/cert_policy_enforcer_unittest.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..45a2e6af87cc1999ceaa439c368f3650d0dbd3f7 |
--- /dev/null |
+++ b/net/cert/cert_policy_enforcer_unittest.cc |
@@ -0,0 +1,212 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/cert/cert_policy_enforcer.h" |
+ |
+#include <string> |
+ |
+#include "base/memory/scoped_ptr.h" |
+#include "net/base/test_data_directory.h" |
+#include "net/cert/ct_ev_whitelist.h" |
+#include "net/cert/ct_verify_result.h" |
+#include "net/cert/x509_certificate.h" |
+#include "net/test/cert_test_util.h" |
+#include "net/test/ct_test_util.h" |
+#include "testing/gmock/include/gmock/gmock.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace net { |
+ |
+namespace { |
+ |
+class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { |
+ public: |
+ DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) |
+ : canned_is_valid_(is_valid_response), |
+ canned_contains_response_(contains_hash_response) {} |
+ |
+ bool IsValid() const override { return canned_is_valid_; } |
+ |
+ bool ContainsCertificateHash( |
+ const std::string& certificate_hash) const override { |
+ return canned_contains_response_; |
+ } |
+ |
+ protected: |
+ ~DummyEVCertsWhitelist() override {} |
+ |
+ private: |
+ bool canned_is_valid_; |
+ bool canned_contains_response_; |
+}; |
+ |
+class CertPolicyEnforcerTest : public ::testing::Test { |
+ public: |
+ virtual void SetUp() override { |
+ policy_enforcer_.reset(new CertPolicyEnforcer(5, true)); |
+ |
+ std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
+ chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), |
+ der_test_cert.size()); |
+ ASSERT_TRUE(chain_.get()); |
+ } |
+ |
+ void FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::Origin desired_origin, |
+ int num_scts, |
+ ct::CTVerifyResult* result) { |
+ for (int i = 0; i < num_scts; ++i) { |
+ scoped_refptr<ct::SignedCertificateTimestamp> sct( |
+ new ct::SignedCertificateTimestamp()); |
+ sct->origin = desired_origin; |
+ result->verified_scts.push_back(sct); |
+ } |
+ } |
+ |
+ protected: |
+ scoped_ptr<CertPolicyEnforcer> policy_enforcer_; |
+ scoped_refptr<X509Certificate> chain_; |
+}; |
+ |
+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin( |
+ ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
+ |
+ EXPECT_TRUE( |
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
+ &result); |
+ |
+ EXPECT_TRUE( |
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
+ scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
+ new DummyEVCertsWhitelist(true, false)); |
+ // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
+ // However, as there are only two logs, two SCTs will be required - supply one |
+ // to guarantee the test fails. |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ |
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ chain_.get(), non_including_whitelist.get(), result)); |
+ |
+ // ... but should be OK if whitelisted. |
+ scoped_refptr<ct::EVCertsWhitelist> whitelist( |
+ new DummyEVCertsWhitelist(true, true)); |
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ chain_.get(), whitelist.get(), result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { |
+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); |
+ |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ // Expect true despite the chain not having enough SCTs as the policy |
+ // is not enforced. |
+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
+ scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
+ "subject", "issuer", base::Time(), base::Time::Now())); |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
+ &result); |
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ no_valid_dates_cert.get(), nullptr, result)); |
+ // ... but should be OK if whitelisted. |
+ scoped_refptr<ct::EVCertsWhitelist> whitelist( |
+ new DummyEVCertsWhitelist(true, true)); |
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ chain_.get(), whitelist.get(), result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, |
+ ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
+ // Test multiple validity periods: Over 27 months, Over 15 months (but less |
+ // than 27 months), |
+ // Less than 15 months. |
+ const size_t validity_period[] = {12, 19, 30, 50}; |
+ const size_t needed_scts[] = {2, 3, 4, 5}; |
+ |
+ for (int i = 0; i < 3; ++i) { |
+ size_t curr_validity = validity_period[i]; |
+ scoped_refptr<X509Certificate> cert(new X509Certificate( |
+ "subject", "issuer", base::Time::Now(), |
+ base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); |
+ size_t curr_required_scts = needed_scts[i]; |
+ ct::CTVerifyResult result; |
+ for (size_t j = 0; j < curr_required_scts - 1; ++j) { |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
+ 1, &result); |
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), |
+ nullptr, result)) |
+ << " for: " << curr_validity << " and " << curr_required_scts |
+ << " scts=" << result.verified_scts.size() << " j=" << j; |
+ } |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ EXPECT_TRUE( |
+ policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result)); |
+ } |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, |
+ ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { |
+ scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); |
+ |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
+ &result); |
+ // Expect true despite the chain not having enough SCTs according to the |
+ // policy |
+ // since we only have 2 logs. |
+ EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
+ scoped_refptr<ct::EVCertsWhitelist> whitelist( |
+ new DummyEVCertsWhitelist(true, true)); |
+ |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ chain_.get(), whitelist.get(), result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
+ scoped_refptr<ct::EVCertsWhitelist> whitelist( |
+ new DummyEVCertsWhitelist(false, true)); |
+ |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
+ chain_.get(), whitelist.get(), result)); |
+} |
+ |
+TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
+ ct::CTVerifyResult result; |
+ FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
+ &result); |
+ EXPECT_FALSE( |
+ policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); |
+} |
+ |
+} // namespace |
+ |
+} // namespace net |