search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / net / cert / cert_policy_enforcer_unittest.cc
blobbc4881c77e583c024d142ab4e7b61d2f07b7c2b7
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_policy_enforcer.h"
6
7 #include <string>
8
9 #include "base/memory/scoped_ptr.h"
10 #include "base/version.h"
11 #include "net/base/test_data_directory.h"
12 #include "net/cert/ct_ev_whitelist.h"
13 #include "net/cert/ct_verify_result.h"
14 #include "net/cert/x509_certificate.h"
15 #include "net/test/cert_test_util.h"
16 #include "net/test/ct_test_util.h"
17 #include "testing/gmock/include/gmock/gmock.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace net {
21
22 namespace {
23
24 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
25 public:
26 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
27 : canned_is_valid_(is_valid_response),
28 canned_contains_response_(contains_hash_response) {}
29
30 bool IsValid() const override { return canned_is_valid_; }
31
32 bool ContainsCertificateHash(
33 const std::string& certificate_hash) const override {
34 return canned_contains_response_;
35 }
36
37 base::Version Version() const override { return base::Version(); }
38
39 protected:
40 ~DummyEVCertsWhitelist() override {}
41
42 private:
43 bool canned_is_valid_;
44 bool canned_contains_response_;
45 };
46
47 class CertPolicyEnforcerTest : public ::testing::Test {
48 public:
49 void SetUp() override {
50 policy_enforcer_.reset(new CertPolicyEnforcer(true));
51
52 std::string der_test_cert(ct::GetDerEncodedX509Cert());
53 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
54 der_test_cert.size());
55 ASSERT_TRUE(chain_.get());
56 }
57
58 void FillResultWithSCTsOfOrigin(
59 ct::SignedCertificateTimestamp::Origin desired_origin,
60 int num_scts,
61 ct::CTVerifyResult* result) {
62 for (int i = 0; i < num_scts; ++i) {
63 scoped_refptr<ct::SignedCertificateTimestamp> sct(
64 new ct::SignedCertificateTimestamp());
65 sct->origin = desired_origin;
66 result->verified_scts.push_back(sct);
67 }
68 }
69
70 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
71 const base::Time& start,
72 const base::Time& end,
73 size_t required_scts) {
74 scoped_refptr<X509Certificate> cert(
75 new X509Certificate("subject", "issuer", start, end));
76 ct::CTVerifyResult result;
77 for (size_t i = 0; i < required_scts - 1; ++i) {
78 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
79 1, &result);
80 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
81 cert.get(), nullptr, result, BoundNetLog()))
82 << " for: " << (end - start).InDays() << " and " << required_scts
83 << " scts=" << result.verified_scts.size() << " i=" << i;
84 }
85 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
86 &result);
87 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
88 cert.get(), nullptr, result, BoundNetLog()))
89 << " for: " << (end - start).InDays() << " and " << required_scts
90 << " scts=" << result.verified_scts.size();
91 }
92
93 protected:
94 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
95 scoped_refptr<X509Certificate> chain_;
96 };
97
98 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
99 ct::CTVerifyResult result;
100 FillResultWithSCTsOfOrigin(
101 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
102
103 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
104 result, BoundNetLog()));
105 }
106
107 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
108 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
109 ct::CTVerifyResult result;
110 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
111 &result);
112
113 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
114 result, BoundNetLog()));
115 }
116
117 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
118 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
119 new DummyEVCertsWhitelist(true, false));
120 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
121 // However, as there are only two logs, two SCTs will be required - supply one
122 // to guarantee the test fails.
123 ct::CTVerifyResult result;
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
125 &result);
126
127 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
128 chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
129
130 // ... but should be OK if whitelisted.
131 scoped_refptr<ct::EVCertsWhitelist> whitelist(
132 new DummyEVCertsWhitelist(true, true));
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
134 chain_.get(), whitelist.get(), result, BoundNetLog()));
135 }
136
137 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) {
138 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(false));
139
140 ct::CTVerifyResult result;
141 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
142 &result);
143 // Expect true despite the chain not having enough SCTs as the policy
144 // is not enforced.
145 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result,
146 BoundNetLog()));
147 }
148
149 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
150 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
151 "subject", "issuer", base::Time(), base::Time::Now()));
152 ct::CTVerifyResult result;
153 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
154 &result);
155 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
156 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
157 // ... but should be OK if whitelisted.
158 scoped_refptr<ct::EVCertsWhitelist> whitelist(
159 new DummyEVCertsWhitelist(true, true));
160 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
161 chain_.get(), whitelist.get(), result, BoundNetLog()));
162 }
163
164 TEST_F(CertPolicyEnforcerTest,
165 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
166 // Test multiple validity periods
167 const struct TestData {
168 base::Time validity_start;
169 base::Time validity_end;
170 size_t scts_required;
171 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
172 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
173 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
174 2},
175 {// Cert valid for exactly 15 months, needs 3 SCTs.
176 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
177 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
178 3},
179 {// Cert valid for over 15 months, needs 3 SCTs.
180 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
181 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
182 3},
183 {// Cert valid for exactly 27 months, needs 3 SCTs.
184 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
185 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
186 3},
187 {// Cert valid for over 27 months, needs 4 SCTs.
188 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
189 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
190 4},
191 {// Cert valid for exactly 39 months, needs 4 SCTs.
192 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
193 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
194 4},
195 {// Cert valid for over 39 months, needs 5 SCTs.
196 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
197 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
198 5}};
199
200 for (size_t i = 0; i < arraysize(kTestData); ++i) {
201 SCOPED_TRACE(i);
202 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
203 kTestData[i].validity_start, kTestData[i].validity_end,
204 kTestData[i].scts_required);
205 }
206 }
207
208 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
209 scoped_refptr<ct::EVCertsWhitelist> whitelist(
210 new DummyEVCertsWhitelist(true, true));
211
212 ct::CTVerifyResult result;
213 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
214 &result);
215 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
216 chain_.get(), whitelist.get(), result, BoundNetLog()));
217 }
218
219 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
220 scoped_refptr<ct::EVCertsWhitelist> whitelist(
221 new DummyEVCertsWhitelist(false, true));
222
223 ct::CTVerifyResult result;
224 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
225 &result);
226 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
227 chain_.get(), whitelist.get(), result, BoundNetLog()));
228 }
229
230 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) {
231 ct::CTVerifyResult result;
232 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
233 &result);
234 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
235 chain_.get(), nullptr, result, BoundNetLog()));
236 }
237
238 } // namespace
239
240 } // namespace net