| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_policy_enforcer.h" | 5 #include "net/cert/cert_policy_enforcer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "net/base/test_data_directory.h" | 10 #include "net/base/test_data_directory.h" |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 67 protected: | 67 protected: |
| 68 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | 68 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; |
| 69 scoped_refptr<X509Certificate> chain_; | 69 scoped_refptr<X509Certificate> chain_; |
| 70 }; | 70 }; |
| 71 | 71 |
| 72 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | 72 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { |
| 73 ct::CTVerifyResult result; | 73 ct::CTVerifyResult result; |
| 74 FillResultWithSCTsOfOrigin( | 74 FillResultWithSCTsOfOrigin( |
| 75 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | 75 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); |
| 76 | 76 |
| 77 EXPECT_TRUE( | 77 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 78 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 78 result, BoundNetLog())); |
| 79 } | 79 } |
| 80 | 80 |
| 81 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | 81 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { |
| 82 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 82 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 83 ct::CTVerifyResult result; | 83 ct::CTVerifyResult result; |
| 84 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 84 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 85 &result); | 85 &result); |
| 86 | 86 |
| 87 EXPECT_TRUE( | 87 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, |
| 88 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 88 result, BoundNetLog())); |
| 89 } | 89 } |
| 90 | 90 |
| 91 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | 91 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { |
| 92 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( | 92 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist( |
| 93 new DummyEVCertsWhitelist(true, false)); | 93 new DummyEVCertsWhitelist(true, false)); |
| 94 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | 94 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. |
| 95 // However, as there are only two logs, two SCTs will be required - supply one | 95 // However, as there are only two logs, two SCTs will be required - supply one |
| 96 // to guarantee the test fails. | 96 // to guarantee the test fails. |
| 97 ct::CTVerifyResult result; | 97 ct::CTVerifyResult result; |
| 98 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 98 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 99 &result); | 99 &result); |
| 100 | 100 |
| 101 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 101 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 102 chain_.get(), non_including_whitelist.get(), result)); | 102 chain_.get(), non_including_whitelist.get(), result, BoundNetLog())); |
| 103 | 103 |
| 104 // ... but should be OK if whitelisted. | 104 // ... but should be OK if whitelisted. |
| 105 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 105 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 106 new DummyEVCertsWhitelist(true, true)); | 106 new DummyEVCertsWhitelist(true, true)); |
| 107 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 107 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 108 chain_.get(), whitelist.get(), result)); | 108 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 109 } | 109 } |
| 110 | 110 |
| 111 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { | 111 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { |
| 112 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); | 112 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); |
| 113 | 113 |
| 114 ct::CTVerifyResult result; | 114 ct::CTVerifyResult result; |
| 115 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 115 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 116 &result); | 116 &result); |
| 117 // Expect true despite the chain not having enough SCTs as the policy | 117 // Expect true despite the chain not having enough SCTs as the policy |
| 118 // is not enforced. | 118 // is not enforced. |
| 119 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 119 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result, |
| 120 BoundNetLog())); |
| 120 } | 121 } |
| 121 | 122 |
| 122 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | 123 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { |
| 123 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | 124 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( |
| 124 "subject", "issuer", base::Time(), base::Time::Now())); | 125 "subject", "issuer", base::Time(), base::Time::Now())); |
| 125 ct::CTVerifyResult result; | 126 ct::CTVerifyResult result; |
| 126 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | 127 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, |
| 127 &result); | 128 &result); |
| 128 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 129 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 129 no_valid_dates_cert.get(), nullptr, result)); | 130 no_valid_dates_cert.get(), nullptr, result, BoundNetLog())); |
| 130 // ... but should be OK if whitelisted. | 131 // ... but should be OK if whitelisted. |
| 131 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 132 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 132 new DummyEVCertsWhitelist(true, true)); | 133 new DummyEVCertsWhitelist(true, true)); |
| 133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 134 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 134 chain_.get(), whitelist.get(), result)); | 135 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 135 } | 136 } |
| 136 | 137 |
| 137 TEST_F(CertPolicyEnforcerTest, | 138 TEST_F(CertPolicyEnforcerTest, |
| 138 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | 139 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { |
| 139 // Test multiple validity periods: Over 27 months, Over 15 months (but less | 140 // Test multiple validity periods: Over 27 months, Over 15 months (but less |
| 140 // than 27 months), | 141 // than 27 months), |
| 141 // Less than 15 months. | 142 // Less than 15 months. |
| 142 const size_t validity_period[] = {12, 19, 30, 50}; | 143 const size_t validity_period[] = {12, 19, 30, 50}; |
| 143 const size_t needed_scts[] = {2, 3, 4, 5}; | 144 const size_t needed_scts[] = {2, 3, 4, 5}; |
| 144 | 145 |
| 145 for (int i = 0; i < 3; ++i) { | 146 for (int i = 0; i < 3; ++i) { |
| 146 size_t curr_validity = validity_period[i]; | 147 size_t curr_validity = validity_period[i]; |
| 147 scoped_refptr<X509Certificate> cert(new X509Certificate( | 148 scoped_refptr<X509Certificate> cert(new X509Certificate( |
| 148 "subject", "issuer", base::Time::Now(), | 149 "subject", "issuer", base::Time::Now(), |
| 149 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); | 150 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); |
| 150 size_t curr_required_scts = needed_scts[i]; | 151 size_t curr_required_scts = needed_scts[i]; |
| 151 ct::CTVerifyResult result; | 152 ct::CTVerifyResult result; |
| 152 for (size_t j = 0; j < curr_required_scts - 1; ++j) { | 153 for (size_t j = 0; j < curr_required_scts - 1; ++j) { |
| 153 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 154 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 154 1, &result); | 155 1, &result); |
| 155 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), | 156 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 156 nullptr, result)) | 157 cert.get(), nullptr, result, BoundNetLog())) |
| 157 << " for: " << curr_validity << " and " << curr_required_scts | 158 << " for: " << curr_validity << " and " << curr_required_scts |
| 158 << " scts=" << result.verified_scts.size() << " j=" << j; | 159 << " scts=" << result.verified_scts.size() << " j=" << j; |
| 159 } | 160 } |
| 160 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 161 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 161 &result); | 162 &result); |
| 162 EXPECT_TRUE( | 163 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 163 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result)); | 164 cert.get(), nullptr, result, BoundNetLog())); |
| 164 } | 165 } |
| 165 } | 166 } |
| 166 | 167 |
| 167 TEST_F(CertPolicyEnforcerTest, | 168 TEST_F(CertPolicyEnforcerTest, |
| 168 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { | 169 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { |
| 169 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); | 170 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); |
| 170 | 171 |
| 171 ct::CTVerifyResult result; | 172 ct::CTVerifyResult result; |
| 172 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | 173 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, |
| 173 &result); | 174 &result); |
| 174 // Expect true despite the chain not having enough SCTs according to the | 175 // Expect true despite the chain not having enough SCTs according to the |
| 175 // policy | 176 // policy |
| 176 // since we only have 2 logs. | 177 // since we only have 2 logs. |
| 177 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 178 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result, |
| 179 BoundNetLog())); |
| 178 } | 180 } |
| 179 | 181 |
| 180 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | 182 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { |
| 181 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 183 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 182 new DummyEVCertsWhitelist(true, true)); | 184 new DummyEVCertsWhitelist(true, true)); |
| 183 | 185 |
| 184 ct::CTVerifyResult result; | 186 ct::CTVerifyResult result; |
| 185 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 187 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 186 &result); | 188 &result); |
| 187 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | 189 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 188 chain_.get(), whitelist.get(), result)); | 190 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 189 } | 191 } |
| 190 | 192 |
| 191 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | 193 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { |
| 192 scoped_refptr<ct::EVCertsWhitelist> whitelist( | 194 scoped_refptr<ct::EVCertsWhitelist> whitelist( |
| 193 new DummyEVCertsWhitelist(false, true)); | 195 new DummyEVCertsWhitelist(false, true)); |
| 194 | 196 |
| 195 ct::CTVerifyResult result; | 197 ct::CTVerifyResult result; |
| 196 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 198 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 197 &result); | 199 &result); |
| 198 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | 200 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 199 chain_.get(), whitelist.get(), result)); | 201 chain_.get(), whitelist.get(), result, BoundNetLog())); |
| 200 } | 202 } |
| 201 | 203 |
| 202 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | 204 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { |
| 203 ct::CTVerifyResult result; | 205 ct::CTVerifyResult result; |
| 204 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | 206 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, |
| 205 &result); | 207 &result); |
| 206 EXPECT_FALSE( | 208 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( |
| 207 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | 209 chain_.get(), nullptr, result, BoundNetLog())); |
| 208 } | 210 } |
| 209 | 211 |
| 210 } // namespace | 212 } // namespace |
| 211 | 213 |
| 212 } // namespace net | 214 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 782333002:
Certificate Transparency: Adding finch and NetLog logging for EV certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master