| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_policy_enforcer.h" | 5 #include "net/cert/cert_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/version.h" |
| 10 #include "net/base/test_data_directory.h" | 11 #include "net/base/test_data_directory.h" |
| 11 #include "net/cert/ct_ev_whitelist.h" | 12 #include "net/cert/ct_ev_whitelist.h" |
| 12 #include "net/cert/ct_verify_result.h" | 13 #include "net/cert/ct_verify_result.h" |
| 13 #include "net/cert/x509_certificate.h" | 14 #include "net/cert/x509_certificate.h" |
| 14 #include "net/test/cert_test_util.h" | 15 #include "net/test/cert_test_util.h" |
| 15 #include "net/test/ct_test_util.h" | 16 #include "net/test/ct_test_util.h" |
| 16 #include "testing/gmock/include/gmock/gmock.h" | 17 #include "testing/gmock/include/gmock/gmock.h" |
| 17 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
| 18 | 19 |
| 19 namespace net { | 20 namespace net { |
| 20 | 21 |
| 21 namespace { | 22 namespace { |
| 22 | 23 |
| 23 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { | 24 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist { |
| 24 public: | 25 public: |
| 25 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) | 26 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response) |
| 26 : canned_is_valid_(is_valid_response), | 27 : canned_is_valid_(is_valid_response), |
| 27 canned_contains_response_(contains_hash_response) {} | 28 canned_contains_response_(contains_hash_response) {} |
| 28 | 29 |
| 29 bool IsValid() const override { return canned_is_valid_; } | 30 bool IsValid() const override { return canned_is_valid_; } |
| 30 | 31 |
| 31 bool ContainsCertificateHash( | 32 bool ContainsCertificateHash( |
| 32 const std::string& certificate_hash) const override { | 33 const std::string& certificate_hash) const override { |
| 33 return canned_contains_response_; | 34 return canned_contains_response_; |
| 34 } | 35 } |
| 35 | 36 |
| 37 base::Version Version() const override { return base::Version(); } |
| 38 |
| 36 protected: | 39 protected: |
| 37 ~DummyEVCertsWhitelist() override {} | 40 ~DummyEVCertsWhitelist() override {} |
| 38 | 41 |
| 39 private: | 42 private: |
| 40 bool canned_is_valid_; | 43 bool canned_is_valid_; |
| 41 bool canned_contains_response_; | 44 bool canned_contains_response_; |
| 42 }; | 45 }; |
| 43 | 46 |
| 44 class CertPolicyEnforcerTest : public ::testing::Test { | 47 class CertPolicyEnforcerTest : public ::testing::Test { |
| 45 public: | 48 public: |
| (...skipping 21 matching lines...) Expand all Loading... |
| 67 protected: | 70 protected: |
| 68 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | 71 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; |
| 69 scoped_refptr<X509Certificate> chain_; | 72 scoped_refptr<X509Certificate> chain_; |
| 70 }; | 73 }; |
| 71 | 74 |
| 72 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 75 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 73 ct::CTVerifyResult result; | 76 ct::CTVerifyResult result; |
| 74 FillResultWithSCTsOfOrigin( | 77 FillResultWithSCTsOfOrigin( |
| 75 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 78 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 76 | 79 |
| 77 EXPECT_TRUE( | 80 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 78 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 81 result, BoundNetLog())); |
| 79 } | 82 } |
| 80 | 83 |
| 81 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 84 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 82 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 85 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 83 ct::CTVerifyResult result; | 86 ct::CTVerifyResult result; |
| 84 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 87 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 85 &result); | 88 &result); |
| 86 | 89 |
| 87 EXPECT_TRUE( | 90 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 88 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 91 result, BoundNetLog())); |
| 89 } | 92 } |
| 90 | 93 |
| 91 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 94 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 92 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 95 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 93 new DummyEVCertsWhitelist(true, false)); | 96 new DummyEVCertsWhitelist(true, false)); |
| 94 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 97 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 95 // However, as there are only two logs, two SCTs will be required - supply one | 98 // However, as there are only two logs, two SCTs will be required - supply one |
| 96 // to guarantee the test fails. | 99 // to guarantee the test fails. |
| 97 ct::CTVerifyResult result; | 100 ct::CTVerifyResult result; |
| 98 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 101 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 99 &result); | 102 &result); |
| 100 | 103 |
| 101 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 104 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 102 chain_.get(), non_including_whitelist.get(), result)); | 105 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); |
| 103 | 106 |
| 104 // ... but should be OK if whitelisted. | 107 // ... but should be OK if whitelisted. |
| 105 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 108 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 106 new DummyEVCertsWhitelist(true, true)); | 109 new DummyEVCertsWhitelist(true, true)); |
| 107 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 110 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 108 chain_.get(), whitelist.get(), result)); | 111 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 109 } | 112 } |
| 110 | 113 |
| 111 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { | 114 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { |
| 112 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(false)); | 115 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(false)); |
| 113 | 116 |
| 114 ct::CTVerifyResult result; | 117 ct::CTVerifyResult result; |
| 115 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 118 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 116 &result); | 119 &result); |
| 117 // Expect true despite the chain not having enough SCTs as the policy | 120 // Expect true despite the chain not having enough SCTs as the policy |
| 118 // is not enforced. | 121 // is not enforced. |
| 119 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 122 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result, |
| 123 BoundNetLog())); |
| 120 } | 124 } |
| 121 | 125 |
| 122 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 126 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 123 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 127 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 124 "subject", "issuer", base::Time(), base::Time::Now())); | 128 "subject", "issuer", base::Time(), base::Time::Now())); |
| 125 ct::CTVerifyResult result; | 129 ct::CTVerifyResult result; |
| 126 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 130 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 127 &result); | 131 &result); |
| 128 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 132 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 129 no_valid_dates_cert.get(), nullptr, result)); | 133 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); |
| 130 // ... but should be OK if whitelisted. | 134 // ... but should be OK if whitelisted. |
| 131 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 135 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 132 new DummyEVCertsWhitelist(true, true)); | 136 new DummyEVCertsWhitelist(true, true)); |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 137 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 134 chain_.get(), whitelist.get(), result)); | 138 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 135 } | 139 } |
| 136 | 140 |
| 137 TEST_F(CertPolicyEnforcerTest, | 141 TEST_F(CertPolicyEnforcerTest, |
| 138 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 142 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 139 // Test multiple validity periods: Over 27 months, Over 15 months (but less | 143 // Test multiple validity periods: Over 27 months, Over 15 months (but less |
| 140 // than 27 months), | 144 // than 27 months), |
| 141 // Less than 15 months. | 145 // Less than 15 months. |
| 142 const size_t validity_period[] = {12, 19, 30, 50}; | 146 const size_t validity_period[] = {12, 19, 30, 50}; |
| 143 const size_t needed_scts[] = {2, 3, 4, 5}; | 147 const size_t needed_scts[] = {2, 3, 4, 5}; |
| 144 | 148 |
| 145 for (int i = 0; i < 3; ++i) { | 149 for (int i = 0; i < 3; ++i) { |
| 146 size_t curr_validity = validity_period[i]; | 150 size_t curr_validity = validity_period[i]; |
| 147 scoped_refptr<X509Certificate> cert(new X509Certificate( | 151 scoped_refptr<X509Certificate> cert(new X509Certificate( |
| 148 "subject", "issuer", base::Time::Now(), | 152 "subject", "issuer", base::Time::Now(), |
| 149 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); | 153 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); |
| 150 size_t curr_required_scts = needed_scts[i]; | 154 size_t curr_required_scts = needed_scts[i]; |
| 151 ct::CTVerifyResult result; | 155 ct::CTVerifyResult result; |
| 152 for (size_t j = 0; j < curr_required_scts - 1; ++j) { | 156 for (size_t j = 0; j < curr_required_scts - 1; ++j) { |
| 153 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 157 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 154 1, &result); | 158 1, &result); |
| 155 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), | 159 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 156 nullptr, result)) | 160 cert.get(), nullptr, result, BoundNetLog())) |
| 157 << " for: " << curr_validity << " and " << curr_required_scts | 161 << " for: " << curr_validity << " and " << curr_required_scts |
| 158 << " scts=" << result.verified_scts.size() << " j=" << j; | 162 << " scts=" << result.verified_scts.size() << " j=" << j; |
| 159 } | 163 } |
| 160 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 164 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 161 &result); | 165 &result); |
| 162 EXPECT_TRUE( | 166 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 163 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result)); | 167 cert.get(), nullptr, result, BoundNetLog())); |
| 164 } | 168 } |
| 165 } | 169 } |
| 166 | 170 |
| 167 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 171 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 168 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 172 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 169 new DummyEVCertsWhitelist(true, true)); | 173 new DummyEVCertsWhitelist(true, true)); |
| 170 | 174 |
| 171 ct::CTVerifyResult result; | 175 ct::CTVerifyResult result; |
| 172 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 176 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 173 &result); | 177 &result); |
| 174 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 178 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 175 chain_.get(), whitelist.get(), result)); | 179 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 176 } | 180 } |
| 177 | 181 |
| 178 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 182 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 179 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 183 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 180 new DummyEVCertsWhitelist(false, true)); | 184 new DummyEVCertsWhitelist(false, true)); |
| 181 | 185 |
| 182 ct::CTVerifyResult result; | 186 ct::CTVerifyResult result; |
| 183 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 187 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 184 &result); | 188 &result); |
| 185 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 189 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 186 chain_.get(), whitelist.get(), result)); | 190 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 187 } | 191 } |
| 188 | 192 |
| 189 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 193 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 190 ct::CTVerifyResult result; | 194 ct::CTVerifyResult result; |
| 191 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 195 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 192 &result); | 196 &result); |
| 193 EXPECT_FALSE( | 197 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 194 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 198 chain_.get(), nullptr, result, BoundNetLog())); |
| 195 } | 199 } |
| 196 | 200 |
| 197 } // namespace | 201 } // namespace |
| 198 | 202 |
| 199 } // namespace net | 203 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 782333002:
Certificate Transparency: Adding finch and NetLog logging for EV certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master