search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Rewrite AndroidSyncSettings to be significantly simpler.
[chromium-blink-merge.git] / net / cert / cert_policy_enforcer_unittest.cc
blobf920963f6aa37216be9d12ca9279938dd5ea953e
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_policy_enforcer.h"
6
7 #include <string>
8
9 #include "base/memory/scoped_ptr.h"
10 #include "base/version.h"
11 #include "net/base/test_data_directory.h"
12 #include "net/cert/ct_ev_whitelist.h"
13 #include "net/cert/ct_verify_result.h"
14 #include "net/cert/x509_certificate.h"
15 #include "net/test/cert_test_util.h"
16 #include "net/test/ct_test_util.h"
17 #include "testing/gmock/include/gmock/gmock.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace net {
21
22 namespace {
23
24 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
25 public:
26 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
27 : canned_is_valid_(is_valid_response),
28 canned_contains_response_(contains_hash_response) {}
29
30 bool IsValid() const override { return canned_is_valid_; }
31
32 bool ContainsCertificateHash(
33 const std::string& certificate_hash) const override {
34 return canned_contains_response_;
35 }
36
37 base::Version Version() const override { return base::Version(); }
38
39 protected:
40 ~DummyEVCertsWhitelist() override {}
41
42 private:
43 bool canned_is_valid_;
44 bool canned_contains_response_;
45 };
46
47 class CertPolicyEnforcerTest : public ::testing::Test {
48 public:
49 void SetUp() override {
50 policy_enforcer_.reset(new CertPolicyEnforcer(true));
51
52 std::string der_test_cert(ct::GetDerEncodedX509Cert());
53 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
54 der_test_cert.size());
55 ASSERT_TRUE(chain_.get());
56 }
57
58 void FillResultWithSCTsOfOrigin(
59 ct::SignedCertificateTimestamp::Origin desired_origin,
60 int num_scts,
61 ct::CTVerifyResult* result) {
62 for (int i = 0; i < num_scts; ++i) {
63 scoped_refptr<ct::SignedCertificateTimestamp> sct(
64 new ct::SignedCertificateTimestamp());
65 sct->origin = desired_origin;
66 result->verified_scts.push_back(sct);
67 }
68 }
69
70 protected:
71 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
72 scoped_refptr<X509Certificate> chain_;
73 };
74
75 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
76 ct::CTVerifyResult result;
77 FillResultWithSCTsOfOrigin(
78 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
79
80 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
81 result, BoundNetLog()));
82 }
83
84 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
85 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
86 ct::CTVerifyResult result;
87 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
88 &result);
89
90 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
91 result, BoundNetLog()));
92 }
93
94 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
95 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
96 new DummyEVCertsWhitelist(true, false));
97 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
98 // However, as there are only two logs, two SCTs will be required - supply one
99 // to guarantee the test fails.
100 ct::CTVerifyResult result;
101 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
102 &result);
103
104 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
105 chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
106
107 // ... but should be OK if whitelisted.
108 scoped_refptr<ct::EVCertsWhitelist> whitelist(
109 new DummyEVCertsWhitelist(true, true));
110 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
111 chain_.get(), whitelist.get(), result, BoundNetLog()));
112 }
113
114 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {
115 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(false));
116
117 ct::CTVerifyResult result;
118 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
119 &result);
120 // Expect true despite the chain not having enough SCTs as the policy
121 // is not enforced.
122 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result,
123 BoundNetLog()));
124 }
125
126 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
127 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
128 "subject", "issuer", base::Time(), base::Time::Now()));
129 ct::CTVerifyResult result;
130 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
131 &result);
132 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
133 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
134 // ... but should be OK if whitelisted.
135 scoped_refptr<ct::EVCertsWhitelist> whitelist(
136 new DummyEVCertsWhitelist(true, true));
137 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
138 chain_.get(), whitelist.get(), result, BoundNetLog()));
139 }
140
141 TEST_F(CertPolicyEnforcerTest,
142 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
143 // Test multiple validity periods: Over 27 months, Over 15 months (but less
144 // than 27 months),
145 // Less than 15 months.
146 const size_t validity_period[] = {12, 19, 30, 50};
147 const size_t needed_scts[] = {2, 3, 4, 5};
148
149 for (int i = 0; i < 3; ++i) {
150 size_t curr_validity = validity_period[i];
151 scoped_refptr<X509Certificate> cert(new X509Certificate(
152 "subject", "issuer", base::Time::Now(),
153 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity)));
154 size_t curr_required_scts = needed_scts[i];
155 ct::CTVerifyResult result;
156 for (size_t j = 0; j < curr_required_scts - 1; ++j) {
157 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
158 1, &result);
159 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
160 cert.get(), nullptr, result, BoundNetLog()))
161 << " for: " << curr_validity << " and " << curr_required_scts
162 << " scts=" << result.verified_scts.size() << " j=" << j;
163 }
164 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
165 &result);
166 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
167 cert.get(), nullptr, result, BoundNetLog()));
168 }
169 }
170
171 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
172 scoped_refptr<ct::EVCertsWhitelist> whitelist(
173 new DummyEVCertsWhitelist(true, true));
174
175 ct::CTVerifyResult result;
176 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
177 &result);
178 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
179 chain_.get(), whitelist.get(), result, BoundNetLog()));
180 }
181
182 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
183 scoped_refptr<ct::EVCertsWhitelist> whitelist(
184 new DummyEVCertsWhitelist(false, true));
185
186 ct::CTVerifyResult result;
187 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
188 &result);
189 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
190 chain_.get(), whitelist.get(), result, BoundNetLog()));
191 }
192
193 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) {
194 ct::CTVerifyResult result;
195 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
196 &result);
197 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
198 chain_.get(), nullptr, result, BoundNetLog()));
199 }
200
201 } // namespace
202
203 } // namespace net